Show Menu

at.js cookies

Information about at.js 2.x and at.js 1. x cookie behavior.

Impact on Target for Safari visitors due to Apple WebKit tracking changes

Keep the following in mind:

How does Adobe Target Tracking work?

First-party domains
This is the standard implementation for Target customers. The "mbox" cookies is set in the customer's domain.
Third-party tracking
Third-party tracking is important for advertising and targeting use cases in Target and in Adobe Audience Manager (AAM). Third-party tracking requires cross-site scripting techniques. Target uses two cookies, "mboxSession" and "mboxPC" set in the domain.

What is Apple's approach?

From Apple:
"Intelligent Tracking Prevention is a new WebKit feature that reduces cross-site tracking by further limiting cookies and other website data."
"This is what's called cross-site tracking and the cookie used by is called a third-party cookie. In our testing we found popular websites with over 70 such trackers, all silently collecting data on users."
Intelligent tracking prevention
For more information, see Intelligent Tracking Prevention on the WebKit Open Source Web Browser Engine website.
How Safari handles cookies:
  • Third-party cookies that are not on a domain the user accesses directly are never saved. This behavior is not new. Third-party cookies are already not supported in Safari.
  • Third-party cookies set on a domain the user accesses directly are purged after 24 hours.
  • First-party cookies are purged after 30 days if that first-party domain has been classified as tracking users across sites. This issue might apply to large companies that send users to different domains online. Apple has not made it clear how exactly these domains will be classified, or how a domain can determine if they've been classified as tracking users cross-site.
Machine Learning to identify domains that are cross-site
From Apple:
Machine Learning Classifier: A machine learning model is used to classify which top privately-controlled domains have the ability to track the user cross-site, based on the collected statistics. Out of the various statistics collected, three vectors turned out to have strong signal for classification based on current tracking practices: subresource under number of unique domains, sub frame under number of unique domains, and number of unique domains redirected to. All data collection and classification happens on-device.
However, if the user interacts with as the top domain, often referred to as a first-party domain, Intelligent Tracking Prevention considers it a signal that the user is interested in the website and temporarily adjusts its behavior as depicted in this timeline:
If the user interacted with the last 24 hours, its cookies will be available when is a third-party. This allows for "Sign in with my X account on Y" login scenarios.
  • Domains that are visited as top level domain won't be affected. Sites like OKTA for example
  • Identifies domains that are sub domain or sub frame of current page across multiple unique domains.

How will Adobe be affected?

Affected Functionality
Opt-out support
Apple's WebKit tracking changes breaks opt-out support.
Target opt-out uses a cookie in the domain. For more details, see Privacy .
Target supports two opt-outs:
  • One per client (the client manages the opt-out link).
  • One via Adobe that opts the user out of all Target functionality for all customers.
Both methods use the third-party cookie.
Target activities
Customers can choose their profile lifetime length for their Target accounts—up to 90 days. The concern is that if the account's profile lifetime is longer than 30 days, and the first-party cookie gets purged because the customer's domain has been marked as tracking users cross-site, behavior for Safari visitors will be affected in the following areas in Target:
Target Reports : If a Safari user enters into an activity, returns after 30 days, and then converts, that user counts as two visitors and one conversion.
This behavior is the same for activities using Analytics as the reporting source (A4T).
Profile & Activity Membership :
  • Profile data is erased when the first-party cookie expires.
  • Activity membership is erased when the first-party cookie expires.
  • Target does not function in Safari for accounts using a third-party cookie implementation or a first- and third-party cookie implementation. Note that this behavior is not new. Safari has not allowed third-party cookies for awhile.
Suggestions : If there is a concern that the customer domain might be marked as one tracking visitors cross-session, it's safest to set the profile lifetime to 30 days or fewer in Target. This ensures that users will be tracked similarly in Safari and all other browsers.