GhazanfarApril 17, 20263 min read

Safari’s ITP limits JavaScript-set cookies to 7 days. Firefox caps them at 90 days. Your GA4 client_id cookie gets wiped weekly for Safari users — artificially inflating new user counts and breaking attribution. Server-side GTM lets you set a first-party cookie via HTTP response headers, which bypasses ITP and enables the 400-day maximum. Here’s exactly how to configure it.

Why JavaScript Cookies Get Capped

ITP classifies cookies set via document.cookie as “client-side” and restricts them to 7 days. A cookie set by your own server via the Set-Cookie HTTP header is treated as first-party server-side — ITP doesn’t restrict these. The 400-day limit is a browser maximum, not an ITP restriction. GA4’s _ga cookie is set by gtag.js (client-side) and expires in 7 days on Safari. Server-side GTM replaces this with a server-set cookie lasting up to 400 days.

Architecture: How SS GTM Sets Long-Lived Cookies

  • Client browser sends request to your GTM Server container (metrics.yourdomain.com)
  • The GA4 client in GTM SS reads the incoming hit
  • A cookie tag writes Set-Cookie back in the HTTP response
  • Browser receives a server-set cookie — no ITP restrictions
  • Next hit includes the cookie in request headers

Cookie Configuration in GTM Server-Side

// Cookie settings for the Set Cookie tag in GTM SS
Cookie Name: _ga_fpid
Cookie Value: {{GA4 Client ID}}
Max Age: 34560000  // 400 days in seconds
Domain: .yourdomain.com  // leading dot for subdomain coverage
Path: /
Secure: true
HttpOnly: false  // GA4 needs JS read access
SameSite: Lax

Reading the Cookie Back on the Client Side

Server-Side GTM Cookie Duration: First-Party Cookies That Last 400 Days
// In GTM web: 1st Party Cookie variable for _ga_fpid
// Then in GA4 config tag, override client_id:
gtag('config', 'G-XXXXXXXXXX', {
  'client_id': '{{1st Party Cookie - _ga_fpid}}'
});
// Safari users now keep the same client_id beyond 7 days

Validating the Cookie Duration

After setup: Chrome DevTools → Application → Cookies → your domain. Find _ga_fpid and check Expires — it should show ~400 days from now. In Safari: Web Inspector → Storage → Cookies. Verify the same cookie with far-future expiry.

Impact on GA4 Data Quality

Properties with high Safari traffic (typically 20–35% for consumer brands) see 15–25% reduction in “new users” after implementing server-side cookies. Returning user recognition improves, session counts stabilize, and attribution models become more accurate because users aren’t re-attributed to direct traffic after cookie expiry.

Implementation Checklist

  • ☐ GTM Server container deployed on your subdomain
  • ☐ GA4 client configured in SS container
  • ☐ Cookie-writing tag created with Max-Age: 34560000
  • ☐ Client-side GA4 tag reads server cookie as client_id override
  • ☐ Verify cookie expiry in DevTools
  • ☐ Monitor new/returning user ratio for 30 days post-implementation

Related: GTM Server-Side Preview Mode, Meta Pixel Server-Side Deduplication.

Guide

Leave a Comment