How to increase first-party cookie lifetime set by a third-party IP (Safari 16.4 and ITP update)

In early April 2023, Apple once again updated its Intelligent Tracking Prevention (ITP) functionality, which now limits the lifespan of cookies, even if they are set from a first-party domain.

In Safari 16.4+, server-side cookies are now set with a maximum duration of 7 days in the following cases:

1. The server setting the cookie is behind a CNAME that resolves (at any point) to a host that is third-party to the website the user is currently browsing.
2. The server setting the cookie is set with A/AAAA records that resolve to an IP address (IPv4 or IPv6) where the first half of the address does not match the first half of the IP address for the server on the website the user is currently browsing.

While JavaScript cookies can have any duration, they will be effectively deleted after 7 browser days.

Sounds concerning, right? But it's not as bad as it seems. In this article, we'll explain why and how you can easily continue using the full cookie duration with Stape.

Briefly about ITP updateCopy link to this section

This ITP update does not work if the user has the "Hide IP Address" from Trackers and Websites option enabled in their Safari settings. By default, this option is active for all iCloud+ users (if the user pays for any additional Apple services: iCloud storage, Apple Music, Apple Arcade, etc.). This nuance is why the update does not have as significant an impact as when iOS 14.5 was released.

At Stape, we always keep an eye on all updates and strive to minimize any negative impact on your marketing data. To address this, we have prepared two solutions: 

• Power-Up called 'Cookie Keeper'.
• Own CDN

How Own CDN WorksCopy link to this section

With the help of own CDN feature, you can rote sGTM custom domain and proxy sGTM traffic through the DNS provider of your website. In this case, the IP addresses  of your website and the custom domain of the sGTM will match, and server-side cookies will be considered as first-party. 

Below is an example of how to configure Own CDN using CloudFlare. 

1. Enable Own CDN in your stape account by opening the sGTM container -> go to settings, and select Own CDN in the Global CDN settings. 

2. Go to CloudFlare and configure CNAME record for the tagging server URL. Please make sure that Proxied is enabled. The setting should look like in the screenshot below. 

3. Go to the Rules -> Page Rules (1) inside your CloudFlare account. In the URL setting (2) add your tagging server URL ending with /*. Set SSL to Full (3) and Cache Level to Bypass (4). 

4. Go to the Rules -> Transform Rules (1) inside your CloudFlare account. In the Modify Request Header section (2), create a new rule. If All incoming requests (3), then Set static X-From-Cdn = cf-stape (4).

Also, please make sure that Web Application Firewall is set to off.

And that’s it! Now you don’t have to worry that CNAME Cloaking defense will restrict the cookies. With Own CDN on Stape the website and the server are considered to be first-party to each other.

How Cookie Keeper WorksCopy link to this section

The Cookie Keeper Power-Up is designed to help you maintain the functionality of your marketing cookies, even if they are deleted for any reason. Here's a simplified explanation of how it works:

1. The Cookie Keeper uses a "master cookie" to keep track of each user's unique ID. This master cookie complies with all ITP rules and is stored as a first-party cookie on your website.
2. When a user visits your website, the master cookie is checked to determine the user's unique ID.
3. If any marketing cookies (e.g., for Google Analytics, Google Ads, TikTok, Facebook, or Stape) are missing or have been deleted, the Cookie Keeper will use the master cookie's information to restore these cookies.
4. This restoration process ensures that your marketing cookies continue to function and provide accurate tracking of user behavior on your website, even if the original cookies were deleted.

By using the Cookie Keeper Power-Up, you can maintain the effectiveness of your marketing campaigns and ensure more accurate tracking, regardless of any cookie deletion that may occur.

How to Use Cookie Keeper for Shopify, WordPress and Magento storesCopy link to this section

1. Install and activate our Stape Server Side plugin:

• For WordPress stores.
• For Shopify stores.
• For Magento stores.

2. Configure the app settings.

Once installed, open the Stape plugin in your store admin. In the app settings, perform the following steps:

a) Enable the GTM snippet addition feature: Turn on the switch to activate the addition of the GTM snippet to your store.

b) Enter your GTM ID: Input your unique Google Tag Manager ID, which follows the format 'GTM-XXXXXX'.

c) Specify your custom domain: Provide the custom domain that you use for your GTM server container.

d) Enter the container identifier: You can find it in Container Settings on your Stape account.

e) Activate the Cookie Keeper option: Turn on this feature.

3. Activate the Power-Up.

a) In your Stape container, go to the Power-Ups section -> Cookie Keeper.

b) Select all the necessary platforms in the standard cookies, and if your subscription plan allows, add custom ones. By the way, if you want to set a standard 'fbp' cookie for a non-standard duration, you can add it to custom cookies, and your settings will be applied to that cookie.

c) Save the changes.

d) Go to the Power-Up Custom Loader.

e) Choose your domain, enter your GTM Web ID, and select your website's platform, either Shopify, WordPress or Magento.

Save your settings and test them using the instructions provided below.

How to use Cookie Keeper if you're not using Shopify/WordPress/Magento or have a custom platformCopy link to this section

For this, you need to have a master cookie* in place, based on which Cookie Keeper will restore the user's cookies. The optimal approach is as follows:

• The cookie should be set from the server response, with the server's IP address differing by no more than the last two octets.
• On every page load, the server should set the cookie (let's call it 'user_id', for example): https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie. The user_id should not be changed/updated if already present, in the browser. (just extend, it needs to be persistent)
• Use a hash of the user's IP address + timestamp as the cookie's value.
• Cookie duration: 400 days.
• Cookie domain: .your-domain.com
• Http only: false (don’t set this parameter to make it false)
• Secure: true

Once you've created such a cookie:

1) Activate Cookie Keeper in Stape Power-Ups for your container.

In the settings, select the platforms you need, and add custom cookies if necessary.

2) To use Cookie Keeper, you'll need to replace the GTM loader snippet.

Go to the Power-Up 'Custom Loader' and in its settings:

• Choose your verified domain.
• Enter your Web GTM ID.
• Select the type of identifier you use: cookie.
• Specify the name of your cookie.

A custom loader snippet will be generated for you to use instead of the standard one.

After this, everything is ready, and you can test the functionality of Cookie Keeper.

* You can also use other types of user identifiers, although cookies are preferable. Cookie Keeper also supports retrieving the user identifier from Local Storage, DOM Elements, and JavaScript variables.

What Stape offersCopy link to this section

On Stape, standard cookies are available for stape Pro plan users, for the most popular platforms: Google Analytics, Google Ads, TikTok, Facebook, and Stape cookies (including cookies set using Data Tag). 

Click on this link to find out which standard cookies for which platforms will be restored and for what duration.

For Business-tier users and above, you can also use any additional custom cookies. For example, if you use Twitter Ads, you can add the "twclid" cookie so that the click ID cookie for Twitter is also restored for the necessary duration.

The main goal here is to have a master cookie on your site. The master cookie is a first-party cookie that complies with all ITP rules and has a unique ID. We have created plugins for Shopify, WordPress and Magento that also set such cookies. Detailed instructions on how to properly configure these plugins along with the Cookie Keeper Power-Up are provided below. Additionally, there is information below with recommendations on how to set up a master cookie if you are using another or custom platform (in this case, unfortunately, you will need a developer).

Test if cookie lifetime was increasedCopy link to this section

The example below shows how to check the renewal of GA4 server-side cookies using Cookie Keeper and using Own CDN. If you use other platforms, you can also check their cookies. You can find the full list of standard cookies that are restored using Cookie Keeper here.

1. Open Safari browser: Make sure you are using Safari version 16.4 or higher. You can check the version by clicking "Safari" in the menu bar and then selecting "About Safari."

2. Access your store: Navigate to your store's URL in the Safari browser.

3. Inspect Element: Right-click on any empty space within your store's webpage and select "Inspect Element" from the context menu. This will open the Developer Tools panel.

4. Open the Storage tab: In the Developer Tools panel, click on the "Storage" tab to view the storage information for your store.

5. Find the Cookies section: On the left side of the "Storage" tab, click on "Cookies" to display the list of cookies associated with your store.

6. Locate and save the FPID value: In the list of cookies, find the 'FPID' cookie, which is the user ID cookie set for GA4. Take note of its value by copying it to a text editor or writing it down.

7. Delete the FPID cookie: Click on the 'FPID' cookie and press the "Delete" key on your keyboard, or right-click and choose "Delete" from the context menu. This will remove the cookie from the list.

8. Refresh the page: Reload your store's webpage by pressing the "Refresh" button in the browser or pressing the "Cmd+R" keys on your keyboard.

9. Refresh the page again: In order to see the updated cookies in Safari, you will need to refresh the page once more.

10. Verify the FPID cookie: After refreshing the page twice, locate the 'FPID' cookie in the list again. The value of this cookie should match the value you saved earlier.

ConclusionCopy link to this section

We hope this guide has made it easy for you to understand and implement the Cookie Keeper and Own CDN features. By tackling the challenges brought by the latest ITP update in Safari 16.4, you can now restore and maintain those essential marketing cookies.

So, stay informed, stay ahead of the curve, and keep rocking your marketing data collection and analysis with Stape.io. Happy marketing!