3rd Party Cookies & Server-Side Implementations
25 Apr 2021 » Server Side
A few weeks ago I heard of a conversation between Adobe and a customer about server-side implementations of web analytics and optimisation tools. In this case, the problem was that some vendor was misleading our customer. Well, actually, this vendor blatantly lied. I wanted to explain this situation so that none of my readers fall into this trap.
document.cookie = "cookiename=cookievalue; expires=Sun, 24 Apr 2021 12:00:00 UTC; path=/"
Now, all cookies have a domain. Where will the browser store a cookie in the previous case? Under the domain of the browser’s tab or window, also known as the origin domain. If I were to execute this code in this blog, the domain would be
www.pedromonjo.com . However, the code above also allows to specify the domain:
document.cookie = "cookiename=cookievalue; expires=Sun, 24 Apr 2021 12:00:00 UTC; path=/; domain=www.mywebsite.com"
So, you may be tempted to set the domain of the cookie to a different domain than the origin. This will work if the cookie domain is a parent of the origin. For example, if your origin is
abc.mywebsite.com , you can set a cookie under
mywebsite.com . But if you try setting it to a completely different domain, the browser will silently ignore your code and will not set the cookie. If you do not believe me, try it yourself!
The HTTP protocol defines an HTTP header called: Set-Cookie, which does exactly what it says on the tin. With this header, a server can instruct a browser to set a cookie.
Set-Cookie: cookiename=cookievalue; expires=Sun, 24 Apr 2021 12:00:00 UTC; path=/; domain=www.mywebsite.com
Now, there is one caveat: the browser will only accept cookies for the same domain of the server or a parent domain. Again, if you try to set a cookie under another domain, the browser will silently ignore you.
Let me clarify here one detail. If you have a website under
www.mysebsite.com and your images are stored under
images.myassets.com , when the browser fetches the images, the server domain will be the latter. So, with all that I have explained so far, browsers will not allow your assets’ server to set a cookie under you website’s domain.
There is no way around it.
Image by rawpixel.com