Understanding the new first-party cookie feature

(bolero) #1

I use a “central” piwik server, e.g. “piwikserver.example.org” that is called on the various sites that get tracked. Sitenames are for instance “www.example.com”, “www.example.net” etc. So, the second-level domain names are not the same. Is my understanding correct that in this case piwik won’t be able to use first-party cookies at all?

If I wanted to use first-party cookies I’d have to use hostnames that share the same second-level domain, e.g. “piwikserver.example.org” and “www.example.org”. Is that correct?
And set tracker.setCookieDomain, of course, as explained on http://piwik.org/docs/javascript-tracking/#toc-cookies-configuration-for-domains-and-sub-domains

(BTW: I can’t highlight and copy any text from the code samples on this page, only from the normal text. This happens in IE8.)

Are there other advantages of using first-party cookies than the problem that some people may reject third-party cookies by default?

I tested with IE8 what happens on my websites with the method described in the first paragraph. I have it set to block third-party cookies and except only session cookies. I don’t see that IE blocks any cookies. If it was a third-party cookie it should block it. So, are the assumptions I made above wrong?

(vipsoft) #2

In your setup, Piwik 1.1.1 (and earlier) would have created third-party cookies with the domain=piwikserver.example.org, regardless of which site a visitor visited (example.com, example.org).

In Piwik 1.2, these are now first party cookies. So cookies now belong to the site visited (domain=www.example.com, or domain=www.example.org).

When we refer to subdomains, we mean those that share the same domain name. Examples: www.example.com, forum.example.com, dev.example.com. If you wanted to track users to these subdomains under the same idsite, then you would use .setCookieDomain(’.example.com’).


  • first party cookies - greater browser/user acceptance; increases detection of returning visitors
  • first party cookies - shifts some of the data storage and processing from the server to the browser


  • first party cookies - adds network overhead as cookies are included in all the requests to the site being visited
  • first party cookies - aren’t shared cross-domain as visitors move between your sites on different domains; may increase unique visitor counts
  • first party cookies - additional configuration may be required


On my part, i want (and setup) all sub-domains as a different site, so i think there’s no problem at all for me.

If i understand this correctly, it’s only for people who want all sub-domains included in the stats of the domain that it cause hassle, need to edit the tracker code.
I wonder how much people are in this situation…

(bolero) #4

Hi vipsoft, thanks for the explanation, but it seems I cannot see that happening. The cookie “piwik_visitor2” sent by the browser is still under the external piwik hostname. There is another cookie not created by our application that is sent in the main domain, it’s named “_pk_id.1.1d17” Is that the one we are talking about? Interesting name :wink:

(bolero) #5

Sorry for coming back to this. I have followed those cookies a bit now and I see several of those first-party cookies being sent by the browser to my sites.
What seems to happen is the following:

site1.example.com sets a cookie for .example.com (id=3, id=6 for logged-in visitors)
site2.example.com sets a cookie for .example.com (id=3, id=6 for logged-in visitors)
site3.example.com sets a cookie for .example.com (id=1, id=5 for logged-in visitors)
www.example.com/subdir, example.com/subdir  sets a cookie for .example.com (id=7 for all visitors)
www.example.com, example.com sets a cookie for .example.com (id=1, id=5 for logged-in visitors)
www.anotherexample.com sets a cookie for .anotherexample.com.com (id=3, id=6 for logged-in visitors)

As shown above the ids can differ by site or by subdirectory or because the visitor is logged in or not.
site1, 2 and 3 are basically just staging servers for the production servers and normally they will not deliver any tracking code at all. But for testing purposes they sometimes do have tracking code enabled. In this case it is the same tracker id that the production site uses.

In the past I assumed that the tracking would be strictly separated by the tracker id. Is that still correct?
I see that each one sets a different cookie (name). The first four cookies have different names but all of them get sent by the browser when accessing a site under *.example.com because the root is .example.com. This is without any editing by me.

What’s not clear to me now, is whether these four cookies “count” for each of the sites/logged-in status independently (what I want) or if they count, no matter which site under .example.com is used. e.g. I do not want that a site tracking with id=1 counts for id=7 etc.
Is this what I get with the default setup or do I have to change something?

If I understand vipsoft’s explanation above correctly, then setting .setCookieDomain(’.example.com’) would assure that I can track all four sites mentioned above under one tracker id. Correct? e.g. site3.example.com and www.example.com (both using the same tracker id). What I do not understand here is the difference of using both sites with the same tracker id, one time with .setcookiedomain() and one time without .setcookiedomain(). What difference do I get in the stats? For me it seems that I just get everything collected in the tracker id. I don’t see different stats for site3 and www. for instance in the website statistics of id 1, although I haven’t used .setcookiedomain().
And what about the subdir case? Is it enough to have it on its own tracker id to get separate stats?

Cookies I see for example.com are: _pk_id.1.1.d17, _pk_id.7.1.d17, _pk_ses.1.1.d17
With www.example.com I have: the same three cookies plus _pk_id.1.1.2f8c for .www.example.com.
With site3.example.com I have: the same three cookies plus _pk_id.1.1.bac3 and _pk_id.1.5.bac3 for .www.example.com.
The 1 and 5 and 7 obviously being different tracker ids while the code at the end is for the various sub-sites.

Does this look correct?
Do I understand correctly that e.g. the cookie with the 5 doesn’t matter of the current tracker id isn’t 5, but 1?

Thanks. I hope this wasn’t too confusing and I didn’t confuse ids or sub-sites myself.
Should I change anything in my setup?