First-party cookie lifespan and caps
Even first-party cookies no longer live as long as their stated expiry. Safari's Intelligent Tracking Prevention caps script-set first-party cookies to seven days (or 24 hours in some cases), and other browsers apply their own storage limits. This page explains how those caps work and why they fragment returning-visitor and retention metrics.
Why a stated expiry is not the real lifespan
A cookie's Expires/Max-Age attribute is a request, not a guarantee. WebKit's Intelligent Tracking Prevention caps the expiry of first-party cookies created through document.cookie (i.e. by JavaScript) to a maximum of seven days, and to 24 hours when the page was reached via a link decorated with tracking query parameters from a classified domain.
Server-set cookies sent in an HTTP response header are treated differently from script-set cookies, which is one reason analytics that relies on client-side cookie writing is hit hardest.
Effect on returning-visitor metrics
When the identifier resets every few days, a visitor who returns after a week looks brand new. That inflates 'new visitors', deflates 'returning visitors', and shortens measured retention curves on affected browsers. The data is not wrong about events — it is wrong about whether two visits came from the same device.
- Script-set first-party cookies capped to 7 days (ITP)
- 24-hour cap when arriving via tracking-decorated links
- Returning-visitor and retention metrics fragment as a result
How it appears in analytics and logs
If returning visitors are systematically undercounted on Apple devices, capped first-party cookie lifetimes are a likely cause — the visitor ID is being reset before they come back.
Diagnostic use case
Understand why returning-visitor and cohort retention numbers decay in Safari, and why a 'two-year' analytics cookie does not actually persist that long.
What WebmasterID can help detect
WebmasterID treats short-lived identifiers as expected and reports counts that degrade gracefully rather than assuming a persistent multi-year cookie.
Common mistakes
- Assuming a two-year cookie expiry actually persists in Safari.
- Reading inflated 'new visitor' counts as real audience growth.
- Comparing retention across browsers without noting cookie caps.
Privacy and accuracy notes
Cookie-lifetime caps are an anti-tracking measure, not a bug. This page describes documented browser behaviour and does not endorse working around it; shorter-lived identifiers are more privacy-protective.
Related pages
- Safari ITP and analytics privacy
Intelligent Tracking Prevention (ITP) is WebKit's privacy feature that partitions and limits storage to stop cross-site tracking in Safari. It blocks third-party cookies, caps script-set first-party cookie lifetimes, and constrains other client-side storage. This page summarises ITP's documented behaviours and what they mean for measuring audiences.
- Cookieless analytics: how it works and its limits
Cookieless analytics records visits and events without setting cookies or persistent cross-site identifiers. It relies on first-party, server-side signals and aggregate counting. The trade-off is honest: it cannot follow an individual across sessions the way cookie-based tracking can — which is exactly the point for privacy-first measurement.
- Fingerprinting and why to avoid it
Fingerprinting combines device and browser characteristics — fonts, screen, headers, hardware hints — into a quasi-identifier that can recognise a returning visitor without a cookie. Because it is hidden, hard to refuse, and resistant to clearing, browser vendors and privacy regulators treat it as a tracking technique to discourage. Privacy-first analytics deliberately does not fingerprint. This is educational, not legal advice.
- Privacy-first analytics
Counts that degrade gracefully without long-lived IDs.
Sources and verification notes
- WebKit — Intelligent Tracking Prevention 2.1 (cookie lifetime cap)Seven-day cap on client-side first-party cookies.
- WebKit — ITP 2.3 (24-hour cap and tracking decorations)24-hour cap and link-decoration handling.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.