Safari has recently introduced Intelligent Tracking Prevention (ITP) 2.1 and 2.2 that restricts cookie tracking capabilities. In Safari, a cookie created on a visitor’s browser (using document.cookie) expires after 7 days. In addition, as per ITP 2.2, if a user comes from social traffic, the cookies on the website expire within 24 hours.
How ITP Impacts VWO Tracking
The expiry of all first-party cookies in 7 days means that visitors who return to the website after 7 days of becoming part of the campaign, are identified as a new visitor. This can inflate the number of unique visitors and skew the conversion rate of your A/B test campaigns.
The same visitor who is visiting the website after 7 days may be served a different variation than what was previously shown. This can create inconsistent experiences and impact campaign accuracy. Also, any social traffic visitors on your website who appear after 24 hours of their last visit are treated as new visitors, despite them visiting the site a little more than 24 hours ago.
The Campaign Is Running on a Single Domain
If you are running VWO campaigns on a single domain, then there is nothing you need to do additionally. The 7-day limitation is handled with an automatic fallback to local storage for all client-side cookie data. This is implemented and works for all visitors using Safari browser (version 12.1 or above).
However, the default implementation does not apply if you are running the VWO campaign on multiple domains.
The Campaign Is Running on Multiple Domains
VWO currently does not support tracking across multiple domains, as it is not supported by default in Safari.
The Campaign Is Running on Multiple Subdomains
For sites that are on a single domain, there are no limitations and the solution works perfectly out of the box. However, if the campaign is running on sites spread across multiple domains, the following are some cases we may find:
- If the user keeps visiting any subdomain of the website within 7 days of the last visit, everything works as expected.
- However, if more than 7 days have passed since the user’s last visit to any subdomain, things may or may not work as expected.
For example, if more than 7 days have passed since the user’s last visit to any subdomain, it may not have the updated VWO cookie data as was on his last visit. This can cause issues which may include, but may not be limited to the following scenarios:
- User is tracked as a new visitor if he visits a brand new subdomain.
- If the user is part of a funnel earlier, he/she might be included again in the funnel.
- The user may be tracked as a returning visitor, but his conversion might be recorded again.
To resolve such issues, it is recommended to install a cookie sync endpoint.
Installing a Cookie Sync Endpoint
To avoid ITP-related issues, if your website is on multiple subdomains, you must install a cookie sync endpoint on your server to read the cookies created by VWO and set an infinite expiry (for example, 10 years). VWO will provide this snippet in various backend languages like PHP, Node.js, Java, Python, and others.
IN SYNC PHP SCRIPT EXAMPLE
If you have a PHP implementation, the following configuration needs to be installed before the VWO Smart Code.
With the following script example added, cookies don’t expire and VWO don’t need to rely on local storage at all.
IN SYNC NODE JS EXAMPLE
If you have a Node.js implementation, the following configuration needs to be installed before the VWO Smart Code.
FileName: Sync.js, Node.js Implementation
IN SYNC .NET EXAMPLE
If you have a .NET implementation, the following configuration needs to be installed before the VWO Smart Code.
If you are using NetStandard2.0, you can use the above code as follows:
Frequently Asked Questions
How does the code for cookie sync work?
The logic converts all VWO client-side cookies to server-side cookies and sets their expiry to 10 years. The 7-day expiry limit does not apply to server-side cookies, so tracking and other VWO features work normally.
Does that mean VWO cookies will never expire until 10 years?
No. We have added logic to manually expire cookies on the front-end. VWO stores the expiry of all cookies alongside their values, and will automatically determine when a cookie should be deleted.
Should I worry about any security threats or cookies leaking?
Absolutely not. There are no security concerns or threats of cookie leaking, as VWO does not receive or store any cookies sent to the syncing script. All logic lies and is stored on your own server.