If you've ever noticed mysterious /set_cookie
requests appearing in your server-side Google Tag Manager (sGTM) logs, you may be wondering what they are, why they exist, and whether they indicate a problem. These requests often raise concerns about billing, data collection, and tag behavior.
The short answer is: this is expected behavior (and not documented by Google), not an error. These requests are part of a clever solution to a complex timing problem inherent in server-side tagging.
In this article, we'll break down what /set_cookie
requests are and what role they play in ensuring reliable tracking and cookie collection in sGTM.
A /set_cookie
request occurs when three conditions are met:
sendPixelFromBrowser
API in sGTM.setCookie
API after sendPixelFromBrowser
API has already been called.richsstsse
parameter in the end of its URL and without having any value (e.g. [...]&richsstsse
).Tags like Google Ads Conversion/Remarketing, Floodlights, and GA4 (when Google Signals is enabled) rely on firing pixels from the browser to sync third-party cookies. To do this effectively, the sendPixelFromBrowser
API is often called very early in the tag's execution process to give the browser maximum time to collect these cookies from the vendor's domains (like doubleclick.net
).
When this API is called, sGTM immediately sends the response back to the browser to initiate the third-party pixel syncing request.
Here's the catch: once the response has been sent, the server can no longer add new Set-Cookie
headers to the response. Only the tags that set cookies using the setCookie
API before sendPixelFromBrowser
API was called will have their cookies set through Set-Cookie
headers.
This creates a problem. What if other tags are still running and need to set a first-party cookie? They've missed their chance because the headers are already gone. |
This is where the richsstsse
parameter and the /set_cookie
come in.
The richsstsse
parameter acts as a flag, signaling that the entity that sent the event in the browser (usually a Google tag / gtag
or Stape Data tag) supports a special "command protocol." This protocol allows the server to send instructions back to the browser in the response, such as setting cookies or firing third-party pixels, even after the initial response has already been sent.
And /set_cookie
is a request back to the sGTM from the browser to pick up the cookies that should have been set previously, but didn't get a chance to.
In short: to ensure third-party cookies can be collected, sGTM sends its response early. To ensure first-party cookies can still be set after that, it uses a special protocol to send instructions in the response body. This protocol is what generates the /set_cookie
requests.
When the richsstsse
parameter is present in the incoming request to your sGTM container, sGTM sends the response body in a series of chunks. You can observe this in the sGTM Preview Mode page under the "Outgoing HTTP Requests from Browser" section.
The response body isn't delivered all at once, but in parts, with each new chunk appearing as tags execute the setCookie
or sendPixelFromBrowser
commands.
For example, the gtag
(GA4 tags) library uses a ReadableStream
to handle this. Each chunk contains a message with instructions, such as:
send_pixel
: tells the browser to fire a pixel to a specific URL, which can be for third-party cookie syncing or other purposes.response
: the final message in the stream, which contains the "real" HTTP status code and body that the client was expecting.Here is an example of what these data chunks look like in the response body:
// Instruction to send a pixel to set a cookie via the sGTM endpoint
event: message
data: {"send_pixel":["${transport_url}/_/set_cookie?val=[...]&path=${encoded_path}"]}
// Instruction to send a pixel to a Google domain for third-party cookie syncing
event: message
data: {"send_pixel":["https://googleads.g.doubleclick.net/pagead/viewthroughconversion/[...]","fallback_url_method":"fetch"}}
// Instruction to send a pixel to a Google domain for third-party cookie syncing
event: message
data: {"send_pixel":["https://www.google.com.br/ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&dma=0&[...]"],"options":{}}
// Instruction to send a pixel to a Google domain for third-party cookie syncing
event: message
data: {"send_pixel":["https://ad.doubleclick.net/activity;register_conversion=1;[...]"],"options":{"attribution_reporting":true}}
// The final response message
event: message
data: {"response":{"status_code":200,"body":""}}
And also, please take a look here:
You can see in this last video that the response body is not received once, but in parts. The chunks list keeps increasing as soon as the tags execute the setCookie
and sendPixelFromBrowser
instructions.
For those who want a deeper understanding, here are a few key technical points derived from tests and observations.
sendPixelFromBrowser
may generate /set_cookie
requests.200
status code, regardless of what your client defines. The actual status code is delivered in the final response
message chunk.sendPixelFromBrowser
is not called, sGTM waits until all tags finish (or timeout at the default timeout of 20 seconds) before responding.send_pixel
commands include a fallback URL (seen in the fallback_url
parameter) in case the primary request is blocked.setCookie
or sendPixelFromBrowser
APIs must be called before running data.gtmOnSuccess()
or data.gtmOnFailure()
in the tag's code. This ensures your commands are queued before the tag signals its completion.Set-Cookie
response headers.sendPixelFromBrowser
API will be gracefully ignored.You'll most commonly see /set_cookie
requests when using tags that rely on third-party cookie syncing for remarketing and conversion tracking. This includes:
sendPixelFromBrowser
API, such as the Microsoft UET CAPI tag and Amazon tag.Each /set_cookie
request is a new incoming request that your tagging server infrastructure (like Google Cloud Platform or Stape) has to process. If you have a high volume of events that trigger this behavior, it can lead to an increase in your server costs.
They are normal and expected behavior in sGTM. They are not an error or a problem.
However, you can manage it with good tagging hygiene:
The /set_cookie
requests you see from your GTM are not a cause for alarm. Instead, they are a core part of the sophisticated mechanism that allows server-side tagging to effectively handle both first-party and third-party cookie requirements.
By sending an early response to facilitate third-party GTM cookie syncing and then using a chunked response body to send follow-up instructions, sGTM navigates the technical limitations of the HTTP protocol.
As an option to ease your mind:
Comments