Safari ITP update limits cookies to 7 days for responses from 3rd party IPs

Feb 6, 2023
Also available in

The Webkit team, led by Safari, has been at the forefront of combating invasive data collection when it comes to web surfing. In a revolutionary move against third-party cookies tracking tactics, they imposed limitations that drastically reduced third-party cookies' lifetime duration to 7 days or even 24 hours. However, companies soon found an effective workaround to this limitation with the help of server-side tagging configured on a custom domain.

In autumn 2022, Safari announced a new change in how they treat cookies. They will cap cookie lifetimes to 7 days for responses from third-party IP addresses. So, we at Stape created a Cookie keeper power-up, about which you can find out more here.

In this blog post, I will describe how the limitation of cookie lifetime based on the IP address works and what it means for web advertising and analytics. And, of course, how stape can help with the new restriction. 

How Safari tries to restrict the use of third-party cookiesCopy link to this section

Apple's Intelligent Tracking Prevention (ITP), which first made its debut in 2017, has seen multiple transformations to become increasingly restrictive with each iteration. The main goal of Safari when it comes to tracking limitations is to restrict advertising and analytic networks from profiling users across different websites. This helps to enhance user privacy and prevent unwanted tracking of users' online activities on one side. But on the other side, this can make it more difficult for advertisers to target users with personalized ads and track the effectiveness of their advertising campaigns.

Let’s dive into more details on what is wrong with 3rd party cookies and the existing restrictions on using third-party cookies for browsers based on WebKit. 

First-party cookies - are small text files stored on a user's device by the website they visit. If the website is, first-party cookies will be considered those set from the main domain and all subdomains,, etc. They are used to store information about the user's preferences, such as login credentials, language preferences, and shopping cart items. Because first-party cookies are set by the website being visited, they are considered "first-party" and are generally not subject to the same privacy restrictions as third-party cookies.

Third-party cookies - those set not from your domain. For example, when or set cookies on the domain, these are considered third-party. Third-party cookies are often set by advertisers or tracking companies to collect information about a user's behavior across multiple websites.

Safari has been regularly updating its Intelligent Tracking Prevention (ITP) feature to restrict third-party cookies' use further and improve user privacy. Here is a short timeline of the critical ITP updates:

  1. ITP limits third-party cookies by default to 7 days.
  2. ITP limits third-party cookies' lifetime to 24 hours if the URL has query parameters (like utm_source, click ids, etc.).
  3. ITP limits first-party cookies' lifetime to 7 days if they were set using CNAME cloaking.
  4. [Beta] ITP limits first-party cookie lifetime to 7 days for responses from 3rd party IPs. We will discuss this in the next chapter.

How Safari ITP restrictions affect advertisersCopy link to this section

Advertisers who rely on third-party cookies to track user behavior and serve targeted ads may see a decline in the effectiveness of their campaigns when users are browsing Safari. This is because the browser's restriction on third-party cookies prevents advertisers from collecting data on users across multiple websites. As a result, they may see a decrease in conversions and a lower return on investment for their advertising spend.

Drop in ad performance Copy link to this section

Ad networks use third-party cookies to collect data about users who visit different websites by assigning the same user a unique third-party cookie. This way, they can see what websites users browse online and understand their interests. Ultimately, they use this data to show ads based on the user's behavior and interests. 

Since using third-party cookies is limited in Safari, this results in less accurate user profiling and, thus, less compelling interest or behavioral targeting. As a result, advertisers spend less money and put more into organic outreach, sponsorship, etc. For programmatic media buying, advertisers started to set less CPM for the target audience since the results of this type of campaign decreased. 

Less accurate conversion attributionCopy link to this section

The second critical use case of third-party cookies in cases of advertising platforms is utilizing a click id. When a user clicks on the ad, most advertising networks add a unique click ID to the URL and store the click id as a third-party cookie. When a user converts, this click id is used to understand what conversion should be attributed to which campaigns. This has a considerable effect on affiliate networks.

ITP makes it difficult for affiliate networks to attribute sales and commissions to the correct affiliates, as the cookie data used for tracking may be deleted after just seven days.

Because of this reason, many popular affiliate networks have started to make server-side tracking implementation mandatory for publishers. With the help of server-side tracking, it’s possible to set first-party cookies and rely on a longer cookie lifetime. 

Lower-quality remarketing audienceCopy link to this section

Remarketing is a technique where advertisers show targeted ads to users who have previously interacted with their website. This is typically accomplished by using third-party cookies. Since a user who visited your website in Safari can stay in the remarketing pool for only 7 days, the size of the remarketing audience will decrease.  

Incorrect analytics dataCopy link to this section

Analytics platforms use cookies to identify if a user is new or has already visited your website. If a safari user does not revisit your website every 7 or 1 day, they will be considered new. And it will have a substantial negative impact on user journey, conversion analytics, etc. 

The solution for existing ITP limitationsCopy link to this section

Webkit's restriction on third-party cookies may have initially seemed like a roadblock, but the most popular solution was soon discovered. By employing server-side tagging, web developers could easily bypass this issue.

In the case of server Google Tag Manager, if you set up a tagging server URL located under your main site domain, like for the website, a tagging server can set first-party cookies, which will increase the cookie lifetime to the default settings. 

Even after advertisers found this solution, webkit tried to restrict it even more. Their main concern was CNAME cloaking, which was later restricted. CNAME clocking is designed to outwit ITP so that it would treat third-party cookies in a first-party contact. If Safari detects CNAME cloaking, they limit JavaScript first-party cookies to the same 7 days as they would limit third-party cookies.

How does ITP limits cookies for responses from 3rd party IPs?Copy link to this section

In autumn 2022, webkit announced the new limitation on using third-party cookies for all Safari users. They will limit cookie lifetimes to 7 days for responses from third-party IP addresses. This limitation is available only for beta Safari users and does not yet affect everyone. But since it was announced several months ago, it will soon be released to production and affect all browsers using ITP. 

Whenever a new ITP detects that the IP address of the URL that tries to set cookies is different from your website’s domain, it cuts cookies' lifetime to 7 days, whether it’s first-party or third-party. For example, your website points to IP, and you previously used server-side tagging to increase cookies' lifetime. Let’s say you use the tagging server which points to to set first-party cookies. ITP will detect that and have completely different IPs. In this case, it will treat cookies set by the tagging server as standard third-party cookies, limiting cookies' lifetime to 7 days. 

Safari won't decrease cookies' lifetime if the IP address of the domain that sets first-party cookies is half matching (i.e., 16 for IPv4 and 64 for IPv6). So if your main site IP address is, then cookies are set from the subdomain that points to the IP, which starts with 1.1. will be considered the first party, and its lifetime won’t be cut. But Webkit says they might change the first 50% match rate rule. 

Why does Safari decide to limit cookies by IP?Copy link to this section

After the restriction on CNAME records, most platforms and server Google Tag Manager also moved to use A or AAAA records for setting up first-party cookies related to third-party domains. So, for example, you can set a custom domain for your sGTM tagging server URL by utilizing A record in case of stape users and set first-party cookies for Google Analytics, Facebook, Affiliate networks, etc., with the help of server-side tagging. 

Is server-side tracking a solution for the new ITP cookies limitationsCopy link to this section

No, it’s not. At least in a way that server-side tagging works for now. The main reason is that tagging server IP addresses will ultimately differ from the IP you use for the website.

The good news is that the stape team worked on a solution that can help increase the cookie lifetime. It is already released! 

The impact of the new Safari restrictionsCopy link to this section

This new release would bring everyone back to where they were using third-party cookies. When a user browses your website in Safari, first-party cookies will live for up to 7 days, except it is set from the domain whose IP matches at least 50% of your website IP address. 

Yes. You can. We rolled out our solution Cookie keeper quite recently. You can find out more here.

Would like to prolong cookies lifetime?

Just click on Learn more, and find out how you can deal with new ITP update with the help of stape.

Learn more
Tagged with:gtm server

Relevant posts

Aug 20, 2021

Third-party cookies are about to expire. Will server-side tracking help?

By the end of 2024, Chrome and Chrome-based browsers will be done with third-party cookies. Safari and Firefox already implemented Intelligent Tracking Algorithms that can block trackers. That leads to the next point: digital advertising methods that rely on third-party cookies to target consumers might become ineffective or even stop working altogether. This change in how advertisers track users will hurt many publishers and ad networks that rely on these third-party companies to display ads and collect data from site visitors to understand their audience. In this blog post, I will explain what a third-party cookie is, why it matters, and how server-side tracking can help businesses transit to the world without third-party cookies.

Oct 6, 2020

How to add a custom domain to the Google Tag Manager Server container

In this article, I will describe how to set up a custom subdomain within your Google Tag Manager server container. The main advantage of a custom subdomain inside the Google Tag Manager Server container is that it helps to bypass Intelligent Tracking Preventions, AdBlockers and increases cookie lifetime for users browsing in Safari. Pixels will be loaded from your subdomain and run as the first-party.

Dec 5, 2021

How to set up server-side affiliate tracking using server Google Tag Manager

Why you should set up server-side affiliate tracking. Plus, a step-by-step guide on how to set up server-side affiliate conversion tracking using server Google Tag Manager.

Host your GTM server at Stape