First-party device IDs in Web SDK
The Adobe Experience Platform Web SDK assigns Adobe Experience Cloud IDs (ECIDs) to website visitors by using cookies, to track user behavior. To account for browser restrictions on cookie lifespans, you can opt to set and manage your own device identifiers instead. These are referred to as first-party device IDs (FPIDs).
You can either use first-party device IDs, or you can use third-party cookies, but you cannot use both features simultaneously.
This document covers how to configure first-party device IDs for your Platform Web SDK implementation.
Prerequisites
This guide assumes you are familiar with how identity data works for the Platform Web SDK, including the role of ECIDs and identityMap
. See the overview on identity data in the Web SDK for more information.
Using FPIDs
FPIDs track visitors by using first-party cookies. First-party cookies are most effective when they are set using a server that uses a DNS A record (for IPv4) or AAAA record (for IPv6), as opposed to a DNS CNAME or JavaScript code.
A
or AAAA
records are only supported for setting and tracking cookies. The primary method for data collection is through a DNS CNAME. In other words, FPIDs are set using an A record or AAAA record, and are then sent to Adobe using a CNAME.Once an FPID cookie is set, its value can be fetched and sent to Adobe as event data is collected. Collected FPIDs are used as seeds to generate ECIDs, which continue to be the primary identifiers in Adobe Experience Cloud applications.
To send an FPID for a website visitor to the Platform Edge Network, you must include the FPID in the identityMap
for that visitor. See the section later in this document on using FPIDs in identityMap
for more information.
ID formatting requirements
The Platform Edge Network only accepts IDs that comply with the UUIDv4 format. Device IDs that are not in UUIDv4 format will be rejected.
Generation of a UUID will almost always result in a unique, random ID, with the probability of a collision occurring being negligible. UUIDv4 cannot be seeded using IP addresses or any other personal identifiable information (PII). UUIDs are ubiquitous and libraries can be found for virtually every programming language to generate them.
Setting a cookie using your own server
When setting a cookie using a server that you own, various methods can be used to prevent the cookie from being restricted due to browser policies:
- Generate cookies using server-side scripting languages
- Set cookies in response to an API request made to a subdomain or other endpoint on the site
- Generate cookies using a CMS
- Generate cookies using a CDN
document.cookie
method will almost never be protected from browser policies that restrict cookie durations.When to set the cookie
The FPID cookie should ideally be set before making any requests to the Edge Network. However, in scenarios where that is not possible, an ECID is still generated using existing methods and acts as the primary identifier as long as the cookie exists.
Assuming the ECID is eventually impacted by a browser deletion policy, but the FPID is not, the FPID will become the primary identifier on the next visit and will be used to seed the ECID on each subsequent visit.
Setting the expiration for the cookie
Setting the expiration of a cookie is something that should be carefully considered as you implement the FPID functionality. When deciding this, you should consider the countries or regions in which your organization operates along with the laws and policies in each one of those regions.
As part of this decision, you may want to adopt a company-wide cookie-setting policy or one that varies for users in each locale where you operate.
Regardless of the setting you choose for the initial expiration of a cookie, you must ensure you include logic that extends the expiration of the cookie each time a new visit to the site occurs.
Impact of cookie flags
There are various cookie flags that impact how cookies are treated across different browsers:
HTTPOnly
http-only
Cookies set using the HTTPOnly
flag cannot be accessed using client-side scripts. This means that if you set an HTTPOnly
flag when setting the FPID, you must use a server-side scripting language to read the cookie value for inclusion in the identityMap
.
If you choose to have the Platform Edge Network read the value of the FPID cookie, setting the HTTPOnly
flag ensures that the value is not accessible by any client-side scripts but will not have any negative impact on the Platform Edge Network’s ability to read the cookie.
HTTPOnly
flag does not have an impact on the cookie policies that may restrict cookie lifetime. However, it is still something you should consider as you set and read the value of the FPID.Secure
secure
Cookies set with the Secure
attribute are only sent to the server with an encrypted request over the HTTPS protocol. Using this flag can help ensure that man-in-the-middle attackers cannot easily access the value of the cookie. When possible, it is always a good idea to set the Secure
flag.
SameSite
same-site
The SameSite
attribute lets servers determine whether cookies are sent with cross-site requests. The attribute provides some protection against cross-site forgery attacks. Three possible values exist: Strict
, Lax
, and None
. Consult your internal team to determine which setting is right for your organization.
If no SameSite
attribute is specified, the default setting for some browsers is now SameSite=Lax
.
Using FPIDs in identityMap
identityMap
Below is an example of how you would set an FPID in the identityMap
:
{
"identityMap": {
"FPID": [
{
"id": "123e4567-e89b-42d3-9456-426614174000",
"authenticatedState": "ambiguous",
"primary": true
}
]
}
}
As with other identity types, you can include the FPID with other identities within identityMap
. The following is an example of the FPID included with an Authenticated CRM ID:
{
"identityMap": {
"FPID": [
{
"id": "123e4567-e89b-42d3-9456-426614174000",
"authenticatedState": "ambiguous",
"primary": true
}
],
"EMAIL": [
{
"id": "email@mail.com",
"authenticatedState": "authenticated",
"primary": true
}
]
}
}
If the FPID is contained in a cookie being read by the Edge Network when first-party data collection is enabled, you should capture only the authenticated CRM ID:
{
"identityMap": {
"EMAIL": [
{
"id": "email@mail.com",
"authenticatedState": "authenticated",
"primary": true
}
]
}
}
The following identityMap
would result in an error response from the Edge Network since it is missing the primary
indicator for the FPID. At last one of the IDs present in identityMap
must be marked as primary
.
{
"identityMap": {
"FPID": [
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"authenticatedState": "ambiguous"
}
],
"EMAIL": [
{
"id": "email@mail.com",
"authenticatedState": "authenticated"
}
]
}
}
The error response returned by the Edge Network in this case would be similar to the following:
{
"type": "https://ns.adobe.com/aep/errors/EXEG-0306-400",
"status": 400,
"title": "No primary identity set in request (event)",
"detail": "No primary identity found in the input event. Update the request accordingly to your schema and try again.",
"report": {
"requestId": "{REQUEST_ID}",
"configId": "{CONFIG_ID}",
"orgId": "{ORG_ID}"
}
}
ID hierarchy
When both an ECID and FPID are present, the ECID is prioritized in identifying the user. This ensures that when an existing ECID is present in the browser cookie store, it remains the primary identifier and existing visitor counts do not risk being affected. For existing users, the FPID will not become the primary identity until the ECID expires or is deleted as a result of a browser policy or manual process.
Identities are prioritized in the following order:
- ECID included in the
identityMap
- ECID stored in a cookie
- FPID included in the
identityMap
- FPID stored in a cookie
Migrating to first-party device IDs
If you are migrating to using FPIDs from a previous implementation, it may be difficult to visualize what the transition might look like at a low level.
To help illustrate this process, consider a scenario that involves a customer who has previously visited your site and what impact an FPID migration would have on how that customer is identified in Adobe solutions.
ECID
cookie is always prioritized over the FPID
.FAQ
The following is a list of answers to frequently asked questions about first-party device IDs.
How is seeding an ID different from simply generating an ID?
The concept of seeding is unique in that the FPID passed to Adobe Experience Cloud is converted to an ECID using a deterministic algorithm. Each time the same FPID is sent the Adobe Experience Platform Edge Network, the same ECID is seeded from the FPID.
When should the first-party device ID be generated?
To reduce potential visitor inflation, the FPID should be generated before making your first request using the Web SDK. However, if you are unable to do this, an ECID will still be generated for that user and will be used as the primary identifier. The FPID that was generated will not become the primary identifier until the ECID is no longer present.
Which data collection methods support first-party device IDs?
Currently only Web SDK supports FPIDs.
Are FPIDs stored on any Platform or Experience Cloud solutions?
Once the FPID has been used to seed an ECID, it is dropped from the identityMap
and replaced with the ECID that has been generated. The FPID is not stored in any Adobe Experience Platform or Experience Cloud solutions.