Safari 1st Party Cookies

As part of Apple’s ITP 2.1 changes, 1st party (1p) cookies in Safari set by Control Tag will expire after 7 days. If you do not revisit a site within 7 days to keep your cookie refreshed, the cookie will expire and you will get a new identifier the next time you visit the site. This will negatively impact our ability to track users.

First Party Cookie Tracking

You can use Audience Studio to better manage first-party cookie tracking on your site from Safari, to comply with Safari’s new policies for handling first- and third-party cookie tracking. We removed and deprecated support for fingerprint tracking on Safari. Instead, you can replace fingerprint tracking with Audience Studio first-party cookie tracking, or alternately, use your existing first-party cookies.

To enable first-party cookie tracking for Safari, contact Audience Studio Support. Tracking is subject to the expiry restriction imposed by Safari on client-side cookies.

Site Managed First Party Cookies

Sites can avoid the problem of rapidly-expiring cookies by having their web servers instruct browsers to set a cookie automatically, versus setting the cookie via the browser. With this approach, when a user navigates to the client site, it will issue an HTTP request for the page content. The server response will include include a “Set-Cookie” HTTP header. Safari will read this header and set a cookie which is not subject to the 7-day expiration of browser-based cookies such as those set by the Audience Studio Control Tag.

You can configure the Control Tag to read this 1p cookie and use its value as a device identifier. This technique, known as Site-Managed 1p Cookies, provides significantly higher accuracy counts due to the longer expiry times associated with these server-side configured cookies.


  • Sites should respond to content requests with Set-Cookie response header
  • Cookie name should be kppid
  • Cookie value should be 11-character alphanumeric (a-z, 0-9, _)
  • Cookies expiry can be set per client's lookback needs and we recommend setting it to 6 months
  • Cookie domain should be the site's domain e.g., domain = "" on
  • Control Tag should be configured to read the 1p cookie and use the value as an identifier


Server-side cookies can be managed in all popular webserver frameworks. The exact technique varies according to the stack you are using.

Mozilla’s developer documentation [2] provides reference material on the response header itself.ere is an example HTTP “Set-Cookie” response header:

Set-Cookie: kppid=F1riopnS_3f; Expires=Tue, 29-Oct-19 13:26:44 GMT; Max-Age=15552000;; Path=/

More Information

Set Cookie via API

Salesforce's Cookie Policy

Expiring Cookies

Third Party Providers with First Party Cookies

Have more questions? Submit a request


Please sign in to leave a comment.