Skip to main content
Back to Guides
Integration5 min read

First-Party Cookies and Server-Side Tagging: Beating ITP

How Safari's Intelligent Tracking Prevention caps browser-set cookies at seven days, why server-set first-party cookies survive longer, and how server-side tagging extends cookie lifetime without cloaking.

Why Your First-Party Cookies Keep Disappearing

If your analytics shows a flood of "new" visitors who are really returning ones, or your Safari conversion counts look thin, the cause is often invisible: your first-party cookies are being deleted early. This isn't a bug in your setup. It's Apple's Intelligent Tracking Prevention (ITP) doing exactly what it was designed to do, and it's the single strongest technical argument for server-side tagging.

This guide is about keeping first-party cookies alive longer. It's the counterpart to First-Party Cookieless Tracking, which covers measuring without persistent identifiers at all. Here we assume you still want durable first-party cookies, and the question is how to stop the browser from expiring them in a week.

The Seven-Day Cap, Explained

The key detail is where a cookie is set. There are two ways to create a cookie, and Safari treats them very differently.

  • Client-side cookies are written by JavaScript in the browser, via document.cookie. Almost every analytics and advertising tag does this. WebKit, the engine behind Safari, states that "ITP would cap the expiry of client-side cookies to seven days," and later extended that restriction so that all script-writable storage is deleted after seven days of Safari use without interaction on the site.
  • Server-set cookies are created by your server in the HTTP response, using a Set-Cookie header, typically with the HttpOnly flag so JavaScript can't touch them. These are not subject to the seven-day cap. On a genuine first-party domain they can persist for the browser's normal maximum, currently around 400 days.

That single distinction is why a GA4 or Meta cookie written by a browser tag quietly expires within a week on Safari, while a cookie your own server sets can last more than a year. Server-side tagging exists, in large part, to move cookie-setting from the browser to the server.

How Server-Side Tagging Extends Cookie Lifetime

In a server-side setup, your web container sends events to a server container on a first-party subdomain such as sgtm.yoursite.com. Because that request hits your own server, the server can respond with a Set-Cookie header that writes a first-party, server-set cookie. That cookie is the durable identifier ITP doesn't shorten.

For Google's own tags, the server container can take over management of the first-party cookies GA4 relies on, so returning visitors are recognized across sessions a client-side cookie would have forgotten. For advertising, the same idea keeps the identifiers conversion matching depends on alive long enough to actually attribute a sale. The result: fewer phantom "new" users, more complete return-visit data, and attribution windows that survive longer than a week on Safari.

A First-Party Subdomain Is Not Automatically Trusted

Setting a cookie from a subdomain is not a loophole you can abuse. Safari's ITP specifically detects CNAME cloaking, where a subdomain like track.yoursite.com is really a disguised alias pointing at a third-party tracker's infrastructure. When Safari sees that the subdomain resolves to an IP range that does not match your own site, it treats the cookie as third-party-ish and reapplies the seven-day cap. To earn the long lifetime, the tagging server has to be genuinely first-party, not a rebranded third-party endpoint. Verify your DNS and hosting actually keep the request within your own domain.

What This Does and Does Not Buy You

It's worth being precise, because server-side cookies are sometimes oversold.

What genuinely improves

  • Return-visitor recognition. Server-set first-party cookies persist far beyond seven days, so Safari users aren't counted as new on every visit.
  • Attribution windows. Conversion identifiers live long enough to connect a click to a purchase days later.
  • Resilience. A first-party endpoint is harder for content blockers to strip than a third-party pixel.

What it does not change

  • Consent still governs everything. A longer-lived cookie set without consent is a longer-lived compliance problem. Extending cookie lifetime doesn't extend your legal basis.
  • Some browser cookies remain. If vendor scripts still run in the browser and write their own cookies, those are still capped. A clean setup minimizes them.
  • Cross-site tracking is still restricted. Server-side cookies extend first-party lifetime; they don't resurrect third-party cross-site tracking, and they shouldn't try to.

Longer-Lived Cookies Raise the Stakes on Consent

A first-party cookie that lasts 400 days is far more useful to you, and far more consequential for the visitor. Regulators treat the duration of storage as part of what a user consents to, and disproportionately long cookie lifetimes have drawn criticism in guidance from data protection authorities. Set realistic expirations, document them in your cookie policy, and make sure a visitor who withdraws consent actually has these cookies cleared. Durability is a benefit only when it sits on a valid legal basis.

Doing It With Consent Built In

Because server-set cookies are durable, the consent gate in front of them matters more, not less. The visitor's choice has to reach the server before it writes an identifier, and withdrawing consent has to clear those cookies. CookieBeam's server-side GTM add-on stores the consent decision in a first-party cookie and makes it readable inside the server container, so cookie-setting and consent live in the same place instead of being reconciled after the fact. See Server-Side Consent Enforcement for how the signal is enforced, and How to Set Up a Server-Side GTM Container for the provisioning steps.

Related Guides and Sources

Compare approaches in First-Party Cookieless Tracking and What Is Server-Side Google Tag Manager? Primary sources: WebKit's Full Third-Party Cookie Blocking and More on ITP and the seven-day cap, and Google's server-side tagging documentation.

First-Party Cookies, Server-Side Tagging & Safari ITP | CookieBeam | CookieBeam