THE RKGBLOG

How redirectors solve the third-party cookie problem

Recently, one of our competitors brought up a good point about third-party cookies and tracking.  They pointed out that some browsers, on iOS-based devices in particular, do not accept third-party cookies by default.  This makes tracking conversions on those devices challenging for tracking methods that rely on third-party cookies.  We completely agree with that part of their analysis.

However, they associated using an http redirect with third-party cookies and suggested that using redirect-based tracking is susceptible to the same pitfalls.  This indicates either a misunderstanding of what a third-party cookie is or a lack of understanding of how a redirect-based system should work.  We wanted to clear that up for them.

First, what is a third-party cookie?  A third-party cookie is a cookie from any domain other than the domain of the original page request.  So if the original request is for http://someretailer.com/index.html, and there is an image on the page from http://content-provider.net/image1.jpg, a cookie set by content-provider.net would be a third-party cookie.  One from http://content.someretailer.com/image2.jpg would not be a third-party cookie.  It is the same base domain as the original request, so it is considered a first-party cookie.

Who cares?  Privacy advocates care a great deal.  Feel free to skip to the next paragraph if you already understand why.  Web sites often use cookies to keep track of users so they can remember what they put in their cart, or display breadcrumbs, or otherwise keep track of an individual browser.  But since a cookie can be read any time the browser makes a request to the server it can be used to track the browser between multiple sites.  For example if retailer1.com and retailer2.com both use some-tracker.com tracking, the some-tracker.com cookie will allow some-tracker.com to track them on both sites and possibly correlate their behavior across both, as well as any other sites that use them.  This gets interesting when you consider how many sites use Google Analytics…

This concern has prompted the major browser makers to include an option to restrict third-party web servers from setting cookies for objects on pages that are not their own.

Section of Google Chrome options page where one controls third party cookie behavior
Mozilla Firefox options page where one controls third party cookie behavior
Internet Explorer Options page where one controls third party cookie behavior

What does this mean?  Any tracking solution that relies on setting third-party cookies will not be able to set a cookie (and therefore will not be able to track) browsers with that setting turned on.  This is true whether the request is done through a server-generated img tag or a JavaScript-generated element.

How does a redirector solve this?  When a browser requests a page from a redirector, the redirector is the first party.  So if a browser requests http://redirect.another-tracker.com/?goto=client1.com/index.html, the server could respond with “Actually go to http://client1.com/index.html, and by the way please set a cookie for another-tracker.com.”  Since the request is to “another-tracker.com” and the cookie is for “another-tracker.com”, the browser does not consider it third-party so it accepts the cookie (unless the browser has all cookies turned off, in which case they won’t be able to add anything to their cart on the client site so won’t be able to convert anyway).  When the customer reaches the conversion page that contains a tracking tag, the browser is then happy to present the existing cookie to the third-party server, although it would not accept any new cookies that server tried to set at that time.

As with any solution, there are some additional technical gotchas, so this method may not be something just any company can get to work.  But we have tested and verified it with many browsers, including Safari on iOS devices, so we are confident in our understanding of how best to track the performance of our customers’ ads.

Technorati Tags: , ,

  • John Miller
    John is the VP of IT at RKG.
  • Comments
    10 Responses to “How redirectors solve the third-party cookie problem”
    1. John,

      Nice summary explaining third party cookies and clearing a lot of the confusion on the topic. We too have had no issues with ioS tracking that the “competitor” mentioned. Besides, how could any marketing manager worth her salt let a 30-40% discrepancy in conversions slide !

      Sid

      PS: Decoding puzzle for George
      NoLastNameBecauseTheyWillTryToStealHim = Miller

    2. Sid, I can’t believe you ‘outed’ him! :-)

    3. John Miller John Miller says:

      Sid, Thanks for the comment. We wonder that too!

    4. Matt Trimmer says:

      You seem to be suggesting that Google Analytics uses third party cookies. It doesn’t. See:

      http://analytics.blogspot.com/2009/05/top-ten-myths-about-google-analytics.html

      http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#HowGAUsesCookies.

      Try not to add to the misinformation!

    5. John Miller John Miller says:

      Matt, thanks for pointing that out. I was trying to provide an example of cross-site tracking that broad enough that it could be a concern to privacy advocates. I did not mean imply they are using third-party cookies. They certainly would not get as accurate data as they do if they were using them.

    6. Steve Thair says:

      John,

      How do you see analytics done at the network level a la Atomic Lab’s Pion fitting into this scenario?

      cheers,
      Steve

    7. John Miller John Miller says:

      Steve, basically like apples and oranges. Pion is a tool that lets you, the web site operator, collect and analyze all sorts of data. Third party tracking requires a third party such as an agency who is doing some of that for you. In the fruit salad of web analytics they can complement each other providing a much richer (tastier?) data set. But they are very different tools.

    8. So you’ve “solved” a problem? It sounds more like you have found a way to circumvent the client browser’s privacy settings. Whether it works or not is irrelevant; you are deliberately doing an end run around the privacy preferences of the end user.

      This practice is dishonest and unscrupulous. It’s pretty much exactly the same thing as using spam to sell fake viagra.

    9. Very similar, except for the fact that we’re not scamming anyone, it doesn’t cost anyone anything, and the information is only used to help us target ads more effectively. More relevant ads for users, more efficient advertising for the advertisers (read: job creation) and no collection of personally identifiable information. Very similar to theft, yep…

    10. Ram says:

      Hi John,

      We have placed the following in the footer of our site:

      goto in turn consist of the following script

      The redirect script is working but its not dropping the cookie for “aff=”. What to do..???