First-party and third-party cookies
Recommended to first go through my earlier articles
How the browser renders the website page? — https://pandurangpatil.medium.com/how-browser-renders-the-website-efe65ba9dc26
How does the HTTP protocol work? — https://pandurangpatil.medium.com/how-does-http-protocol-work-426b1a4158f3
How are cookies handled by the Browser? — https://pandurangpatil.medium.com/how-cookies-are-handled-by-the-browser-8e8f650c8a99
If you have gone through the above articles probably you have been able to connect the dots between HTTP cookies, requests, server & Browser.
Now let’s understand how to differentiate between first-party and third-party cookies.
When you try to access any website from your browser e.g. “https://www.facebook.com”. It will open the respective site’s default page in your browser. While accessing this page the cookies that are created against the domain of the site in this case “www.facebook.com” or its parent domain i.e. “.facebook.com” are called first-party cookies.
1. Let’s take an example open incognito mode and hit “https://www.facebook.com” in the address bar.
Open dev tools and go to the “Application” tab. From the left panel expand the “Cookies” section. You will find there are a few cookies created against the “.facebook.com” parent domain of “www.facebook.com”. These are first-party cookies in the context of the current site being accessed. Any other cookie whose domain doesn’t end with “facebook.com” while accessing https://www.facebook.com will be a third-party cookie.
2. Let’s take another example to understand both first-party and third-party cookies in one place. Open another tab in the same incognito window and hit “https://www.ugaoo.com”
When you access this site and look at the cookies you will find cookies being created against “www.ugaoo.com” as well as “.ugaoo.com”. These cookies are will be referred to as first-party cookies as these are created against the URL domain that you are accessing i.e. www.ugaoo.com
You will also find cookies against the domain “.facebook.com”, “.doubleclick.net”, “.google.com” etc. These are the third-party cookies referred to and used while accessing this “www.ugaoo.com” site.
If you pay attention to the cookies with the domain “.facebook.com” you will find the value of these cookies is the same as that of cookies we witnessed while accessing the “www.facebook.com”.
So first-party and third-party cookies are relative to the site being accessed by the user. If the site being accessed by the user is “www.facebook.com” then all the cookies that are created with the domain “www.facebook.com” or “.facebook.com” are first-party cookies. Same cookies will be treated as third-party cookies when the user access “www.ugaoo.com”.
This raises the next question of why “.facebook.com” cookies are being used while accessing “www.ugaoo.com”.
This is because when we drop a Javascript Facebook meta pixel on any site, in this example there is a Facebook meta pixel dropped on “ugaoo.com”. This pixel will make HTTP requests to “facebook.com” servers to record the events fired on the user’s browser. Because these HTTP requests are made to “facebook.com” servers while the user is accessing the “ugaoo.com” site these cookies which are mapped to the “.facebook.com” domain is getting accessed.
The same is the case for “.google.com” cookies as Google Analytics and Google ads pixel were dropped on “ugaoo.com”, hence being accessed.
However, you might wonder how come “.doubleclick.net” is accessed. As you might not have dropped any pixel directly on your site from “doubleclick.net”. This is where the magic of HTTP or web works unknowingly and not so techy people fail to connect the dots.
It is possible to add another pixel from one pixel through Javascript, which is what Google Tag Manager facilitates. In the case of “doubleclick.net”, it has been added through Google Ads pixel which is used for identifying users for Google’s display network. Which is operated under the “doubleclick.net” domain even after Google acquired DoubleClick 15 years back.
