Third party Cookie (Tracking Cookie)

Third party Cookies are cookies created by other sites (ie that comes from another domain (ie a third party) than the hosted web page.

These sites own some of the content, like ads or images, that you see and was included on the webpage you visit.

Technically, If the domain property of the cookie is:

  • the same as the domain of the page you are on, it's a first-party cookie.
  • different, it is a third-party cookie.

While the server hosting a web page sets first-party cookies, the page may contain:

in other domains which performs cross-oirgin request and may set third-party cookies.


Cross-site tracking

They allows cross site tracking

These are mainly used for advertising and tracking across the web.

This cookie are cookie identifier and are send back at every future HTTP request (fetch) of the third party script to their origin (the third-party server - advertiser).

They are also referred to as tracking cookies.

cross-origin authentication

See cross-origin authentication


You can see them in the browser devtool

Third Party Cookie Listing Devtool



  • A tracking file example (Javascript mixed with php that set a cookie)
header('content-type: text/javascript');
$uniqueId = uniqid();
setcookie("bytle_uniq_id", $uniqueId, time()+3600*24*30, '/'); 

console.log('The bytle tracking javascript was executed');
  • The htaccess to redirect an URL to tracking.js to tracking.php
RewriteBase /
RewriteRule ^tracking.js$ tracking.php
  • When this script is added to a page, it will return each time that the page is loaded the unique Id.
<script src="">
  • Unfortunately, the code below does not work because it's runned in a iframe but if you open the devtool (See below), you can see the cookie send for each request of tracking.js
var cookie = document.cookie.split(";").filter( (item) => item.trim().startsWith('bytle') )[0];
if (typeof cookie != 'undefined') {
    console.log('The bytle cookie was found with the value '+cookie.split('=')[1]);
} else {
   console.log('The bytle cookie was not found');
  • The devtool that shows the cookie sends

Third Party Cookie

Documentation / Reference

Recommended Pages
Card Puncher Data Processing
Analytics - (Cross-site | Cross-domain) tracking - Site linking

cross-site tracking is a tracking technique that permits to follow a user across web sites (ie to follow users from site to site) Cross-domain measurement makes it possible for Analytics to see sessions...
Card Puncher Data Processing
Authentication - Cross Origin Authentication

When the authorization_endpoint is not from the same origin, this is a cross-origin' authentication. A redirect to the endpoint where the authentication happens there. The user's credentials...
Cookie Scope Name
Cookie - Scope

The scope of a cookie name is a calculated property defined by the concatenation of the and attributes. If the request URL matches the scope (ie domain and path expression), the user agent (browser)...
Chrome Cookies
HTTP - Cookie (Set-Cookie Header )

A cookie is a key-value data and some associated It is: set: by the server side with a HTTP response and the Set-Cookie header and eventually on a client side with the browser web api stored...
HTTP - Cross-Origin Request

A cross-origin request is a request that was not created by code (html page, javascript, ...)) of the same origin. cross site requestsame origin requestcross-originsame origin A page may contain images...
Card Puncher Data Processing
Security - Third Party

A third party is an external entity to your organisation or to your code.
Set Cookie Block Bad Domain Att Vs Current Host Url
The domain property of a cookie in depth

This article is about the domain property of a cookie and defines what is a domain, how it's used and what's permitted.
Card Puncher Data Processing
What is a DNS CNAME (Canonical Name) ?

A CNAME (Canonical Name) is the DNS alias functionality that maps a domain name to another name. More ...

Share this page:
Follow us:
Task Runner