Skip to content

Cookies usage

Jump to bottom Edit New page
Arnaud PICHERY edited this page Oct 18, 2018 · 4 revisions

This document describes how WT1 uses cookies on websites.

WT1 uses first-party cookies to:

  • Distinguish unique visitors
  • Distinguish sessions
  • Store visitor parameters
  • Store session parameters

First-party cookies mean that the cookies are associated to the tracked domain, not to the tracker domain. This does not allow cross-domain tracking. First-party cookies are generally accepted by all browsers.

WT1 sets the following cookies.

Cookie name Expiration time Description
__wt1vic 2 years Stores the unique identifier for a visitor. Used to distinguish unique visitors
__wt1sic 30 minutes Stores a session identifier. Used to distinguish sessions
__wt1vpc 2 years Stores the visitor-level custom variables
__wt1vsc 30 minutes Stores the session-level custom variables

By default, the cookies are set on the domain specified by document.location.host (ie, the "current website") on the / path.

Optional third-party cookies system

In addition to the first-party cookies system, WT1 can also position a single third-party cookie.

Third-party cookies are associated to the tracker domain and can be used for cross-site tracking, to uniquely identify a single visitor across many websites using the same WT1 instance.

Many browsers now defaults to blocking third-party cookies because they can be used for invasive tracking. It is to be expected that more and more browsers will do the same

Third-party cookie tracking is enabled by adding a thirdPartyCookies=true parameter in the configuration file.

Third-party tracking enables the following two additional cookies:

Cookie name Expiration time Description
__wt1tpvic 2 years Stores a unique cross-site identifier for a visitor. Used to distinguish unique visitors.
__wt1optout 5 years Stores value "1" when the user has opted out third party cookie tracking.

Third-party cookie tracking opt-out system

When third-party cookie tracking is enabled, the following HTTP entry points can be used to implement an IAB-compliant opt-out system:

URL (from the webapp's root) Usage Notes
/public/cookie/status Queries the opt-out status for this user "Returns one of cookie nocookie or optedout as described below."
/public/cookie/optout Lets this user opt out third-party cookie tracking. Redirects to the opt-out status page above upon success.
/public/cookie/optin Lets this user opt in third-party cookie tracking. Redirects to the opt-out status page above upon success.

By default, opt-out status is reported as one of the three possible following values:

  • cookie if the user has not opted out third-party cookie tracking and currently has an active third-party cookie,
  • nocookie if the user has not opted out third-party cookie tracking and has no active third-party cookie,
  • optedout if the user has opted out third-party cookie tracking.

If an optional opt-out callback URL is configured through the optoutCallbackUrl configuration directive, status reporting is performed instead by redirecting the user to this URL with an appended query string ?status=STATUS where STATUS is the opt-out status result defined above. For example if the configuration file contains:

optoutCallbackUrl = http://www.mysite.com/optout/callback

then a user accessing the /public/cookie/optout WT1 URL will be handled as follows:

  • any existing third-party tracking cookie is cleared,
  • the opt-out cookie is set,
  • the user is redirected to the /public/cookie/status WT1 URL,
  • the user is redirected to http://mysite.com/optout/callback?status=optedout.

In addition to the above mechanism, the WT1 tracker honors the proposed HTTP "do not track" ("DNT") header : a user browser sending this header will not be assigned a third-party tracking ID, and any existing third-party tracking cookie will be cleared. This behavior can be overridden by setting the ignoreDNT configuration directive to true, in which case DNT HTTP headers are ignored.

Retrieving the global visitor id from Javascript code

When third-party cookie tracking is enabled, the WT1 backend maintains a global cross-site identifier for each unique visitor, using a cookie in the tracker domain. As this domain is typically different from the tracked page domain, this id is not accessible to Javascript code.

The WT1 backend exposes an API to retrieve this id in Javascript code if required by the application.

This API is available at address ROOT_URL/public/globalId. It should be called with the name of a Javascript function as single argument fun. It returns a Javascript snippet calling this function with this session's global visitor id as a single string argument.

Example: a GET request on URL http://tracker.mycompany.com/public/globalId?fun=setGlobalId returns

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=ISO-8859-1
Content-Length: 48
 
setGlobalId("e244a5660a524b63b3b547e8632f8475");
Add a custom footer
Add a custom sidebar
Clone this wiki locally