HTTP cookie Secure and HttpOnly attributes in ITP 2.3

For WebKit cohort browsing devices (any browser on an iOS device, or Safari on any device OS), ITP 2.3 expires all first party JavaScript cookies by default after 7 days (regardless of the expiration value assigned when set), and where link decoration exists (e.g., where an ad click URL parameter exists) the expiration window is shorted to 24 hours. However, for now, ITP 2.3 honors unlimited expiration for all HTTP cookies, and the HttpOnly attribute is not required to achieve unlimited expiration.

Simo Ahava’s Cookie Monster is a Google Tag Manager Server container custom tag template available in Google Tag Manager’s community template gallery. This custom tag template can be used to set browser cookies in the HTTP response back from the Server container (i.e., to set HTTP cookies), with the Secure attribute by default, and optionally with the HttpOnly attribute.

Setting the Google Optimize _gaexp cookie via HTTP response

An interesting use case for this custom tag template is to set the Google Optimize experiment cookie, _gaexp, using an HTTP response. This requires creating a new Server container Cookie Value variable for _gaexp, and fetching the value from the HTTP request sent to the Server container endpoint.

You would set the _gaexp cookie with the Secure attribute only (no HttpOnly attribute).  Why?  Because the Optimize JavaScript is still initialized in the browser, and the HttpOnly attribute would prevent browser JavaScript from reading the _gaexp cookie value to evaluate whether or not the browsing device has already been included in a related test or personalization.

Setting the Google Optimize experiment cookie via HTTP response in this manner prevents negative Safari ITP impacts on Google Optimize tests we inventoried previously.

Related:  (i) Server-side GTM, HTTP cookies and Google Analytics, (ii) Safari ITP impact on Google Optimize tests