- Adobe Target Developer Guide
- Getting started
- Before you implement
- Privacy and security
- Privacy overview
- Privacy and data protection regulations
- Target cookies
- Delete the Target cookie
- The impact of third-party cookie deprecation on Target (at.js)
- Google Chrome SameSite cookie policies
- Apple Intelligent Tracking Prevention (ITP) 2.x
- Content Security Policy (CSP) directives
- Allowlist Target edge nodes
- Methods to get data into Target
- Target security overview
- Supported browsers
- TLS (Transport Layer Security) encryption changes
- CNAME and Adobe Target
- Client-side implementation
- Overview: implement Target for client-side web
- Adobe Experience Platform Web SDK implementation overview
- at.js implementation
- at.js overview
- How at.js works
- How to deploy at.js
- On-device decisioning
- at.js functions
- at.js functions overview
- adobe.target.getOffer()
- adobe.target.getOffers() - at.js 2.x
- adobe.target.applyOffer()
- adobe.target.applyOffers() - at.js 2.x
- adobe.target.triggerView() - at.js 2.x
- adobe.target.trackEvent()
- mboxCreate() - at.js 1.x
- targetGlobalSettings()
- mboxDefine() and mboxUpdate() - at.js 1.x
- targetPageParams()
- targetPageParamsAll()
- registerExtension() - at.js 1.x
- sendNotifications() - at.js 2.1
- at.js custom events
- Debug at.js using the Adobe Experience Cloud Debugger
- Use cloud-based instances with Target
- at.js FAQs
- at.js version details
- Upgrading from at.js 1.x to at.js 2.x
- at.js cookies
- User-agent and client hints
- Understand the Global mbox
- Server Side implementation
- Server Side: implement Target overview
- Getting started with Target SDKs
- Sample apps
- Transition from Target legacy APIs to Adobe I/O
- Core principles
- Integration
- On-Device Decisioning
- Node.js SDK Reference
- Java SDK Reference
- .NET SDK Reference
- Python SDK Reference
- Hybrid implementation
- Recommendations implementation
- Mobile app implementation
- Email implementation
- API guides
- Implementation patterns
Target cookies
The cookie behavior depends on whether it is a first-party cookie, a third-party cookie with a first-party cookie, or a third-party cookie alone.
For detailed information about the different cookies used by Target, see Adobe Target cookies in the Experience Cloud Central Interface Components Guide.
This topic contains information about mboxSession and mboxPC. Implementation best practices recommend that you do not link or store sensitive information with the cookie data: mboxSession or mboxPC.
See also Delete the Target cookie.
When to Use first-party or third-party cookies
Your site setup determines which cookies you want to use. It is helpful to understand how Target works when trying to understand first-party and third-party cookies. See How Adobe Target Works for more information.
There are three main use cases for cookies:
-
One domain.
All of your testing takes place within one top-level domain (
www.domain.com,store.domain.com,anysub.domain.com, and so forth).Approach: Use only first-party cookies (the default).
-
Users cross domains and you want to track and test their behavior across these domains.
Example: A user comes to your site to shop but checks out through Yahoo stores. Three approaches (work with your account representative to determine the best approach):
-
Enable first- and third-party cookies.
-
Enable third-party only (rare, but has the benefit of keeping the mbox cookie out of your domain).
-
Enable only first-party cookies and pass
mboxSessionparameter when crossing domain.The
mboxSessionparameter must be passed to a landing page and referenced from the JavaScript library (Adobe Experience Platform Web SDK or at.js). It cannot be an intermediate redirector page.
-
-
You are only using adboxes or Flashboxes on a third-party site.
Two approaches (work with your account representative to determine the best approach):
-
Enable first- and third-party cookies.
First- and third-party cookies are required for Flashbox and dynamic creatives.
-
Enable only third-party cookies.
This approach is only for the rare case where AdBox implementations are used without on-site targeting.
-
First-party cookie behavior
The first-party cookie is stored in clientdomain.com, where clientdomain is your domain.
The JavaScript library generates an mboxSession ID and stores it in the Target cookie. The first mbox response contains the offer, and the JavaScript to store the mboxPC ID generated by the application, in the mbox cookie.
The AMCV_###@AdobeOrg first-party cookie is always set with the Experience Cloud Visitor ID.
Third-party cookie behavior
The third-party cookie is stored in clientcode.tt.omtrdc.net and the first-party cookie is stored in clientdomain.com, where clientdomain is your domain.
The JavaScript library generates an mboxSession ID. The first location request returns HTTP response headers that attempt to set third-party cookies named mboxSession and mboxPC and a redirect request is sent back with an extra parameter ( mboxXDomainCheck=true).
If the browser accepts third-party cookies, the redirect request includes those cookies, and the offer is returned.
If the browser rejects third-party cookies, the redirect request does not include those cookies, and default content is displayed for all locations on the page. Because there are no cookies set, the same process above happens again on every page request.
The demdex.net cookie is set if third-party cookies are not blocked.
Third-party and first-party cookie behavior
The third-party cookie is stored in clientcode.tt.omtrdc.net and the first-party cookie is stored in clientdomain.com, where clientdomain is your domain.
The JavaScript library generates an mboxSession ID. The first location request returns HTTP response headers that attempt to set third-party cookies named mboxSession and mboxPC, and a redirect request is sent back with an extra parameter (mboxXDomainCheck=true).
If the browser accepts third-party cookies, the redirect request includes those cookies, and the offer is returned.
Some browsers reject third-party cookies. If the third-party cookie is blocked, the first-party cookie still works. Target attempts to set the third-party cookie, and if it cannot, then Target can only track on the client’s specific domain. Cross-domain tracking does not work if the third-party cookie is blocked, unless the mboxSession is appended in the link that crosses domains. In this case, another first-party cookie is set and synched with the prior domain’s first-party cookie.
Cookie settings
The cookie has several default settings. You can change these settings if needed, except the cookie duration. Consult your account representative when changing cookie settings.
| Setting | Information |
|---|---|
| Cookie name | mbox. |
| Cookie domain | The second and top levels of the domains from which you serve the content. Because it is served from your company’s domain, the cookie is a first-party cookie. Example: mycompany.com. |
| Server domain | clientcode.tt.omtrdc.net, using the client code for your account. |
| Cookie duration | The cookie remains on the visitor’s browser two weeks from the last login. You cannot change the cookie duration. |
| P3P policy | The cookie is published with a P3P policy, as required by the default setting in most browsers. A P3P policy indicates to a browser who is serving the cookie and how the information is used. |
The cookie keeps various values to manage how your visitors experience campaigns:
| Value | Definition |
|---|---|
| session ID | A unique ID for a user session. By default, this ID lasts 30 minutes. |
| pc ID | A semi-permanent ID for a visitor’s browser. Lasts 14 days. |
| check | A simple test value used to determine if a visitor supports cookies. Set each time a visitor requests a page. |
| disable | Set if visitor’s load time exceeds the timeout configured in the JavaScript library file. By default, this value lasts one hour. |
Impact on Target for Safari visitors due to Apple WebKit tracking changes
How does Target tracking work?
| Cookies | Details |
|---|---|
| First-party domains | The standard implementation for Target customers. The “mbox” cookies is set in the customer’s domain. |
| Third-party tracking | Third-party tracking is important for advertising and targeting use cases in Target and in Adobe Audience Manager (AAM). Third-party tracking requires cross-site scripting techniques. Target uses two cookies, “mboxSession” and “mboxPC” set in the clientcode.tt.omtrd.net domain. |
What is Apple’s approach?
From Apple:
“Intelligent Tracking Prevention is a new WebKit feature that reduces cross-site tracking by further limiting cookies and other website data.”
“This is what’s called cross-site tracking and the cookie used by example-tracker.com is called a third-party cookie. In our testing we found popular websites with over 70 such trackers, all silently collecting data on users.”
| Approach | Details |
|---|---|
| Intelligent tracking prevention | For more information, see Intelligent Tracking Prevention on the WebKit Open Source Web Browser Engine website. |
| Cookies | How Safari handles cookies:
|
| Machine Learning to identify domains that are cross-site | From Apple: Machine Learning Classifier: A machine learning model is used to classify which top privately controlled domains can track the user cross-site, based on the collected statistics. Out of the various statistics collected, three vectors turned out to have strong signal for classification based on current tracking practices: subresource under number of unique domains, sub frame under number of unique domains, and number of unique domains redirected to. All data collection and classification happens on-device. However, if the user interacts with example.com as the top domain, often referred to as a first-party domain, Intelligent Tracking Prevention considers it a signal that the user is interested in the website and temporarily adjusts its behavior as depicted in this timeline:If the user interacted with example.com the last 24 hours, its cookies are available when example.com is a third party. This practice allows for “Sign in with my X account on Y” login scenarios.
|
How is Adobe affected?
| Affected Functionality | Details |
|---|---|
| Opt-out support | Apple’s WebKit tracking changes breaks opt-out support. Target opt-out uses a cookie in the clientcode.tt.omtrdc.net domain. For more details, see Privacy.Target supports two opt-outs:
|
| Target activities | Customers can choose their profile lifetime length for their Target accounts (up to 90 days). The concern is that if the account’s profile lifetime is longer than 30 days, and the first-party cookie gets purged because the customer’s domain has been marked as tracking users cross-site, behavior for Safari visitors are affected in the following areas in Target: Target reports: If a Safari user enters into an activity, returns after 30 days, and then converts, that user counts as two visitors and one conversion. This behavior is the same for activities using Analytics as the reporting source (A4T). Profile & activity membership:
Suggestions: If there is a concern that the customer domain might be marked as one tracking visitors cross-session, it is safest to set the profile lifetime to 30 days or fewer in Target. This limit ensures that users are tracked similarly in Safari and all other browsers. |
