Configuration
Cookie Settings
SourceTag stores attribution data in a first-party cookie on your domain. This page covers the default settings, what the cookie contains, and how to change the configuration.
Default settings
| Setting | Default value | Description |
|---|---|---|
| Cookie name | _sourcetag | The name of the cookie set on your domain |
| Cookie lifetime | 400 days | How long the cookie persists in the browser |
| Cookie domain | Auto-detected | Set to the root domain for subdomain support |
| Secure flag | Set on HTTPS | Cookie only sent over encrypted connections |
| SameSite | Lax | Protects against CSRF while allowing normal navigation |
| Session timeout | 30 minutes (1,800,000 ms) | How long before a period of inactivity counts as a new session |
Cookie configuration
The cookie name and lifetime are set automatically and no configuration is required.
Cookie name
The cookie is named _sourcetag.
Cookie lifetime
The cookie lifetime is 400 days. This means if a visitor comes to your site and doesn’t return for a year, their attribution data will still be available when they come back.
Note: Safari limits JavaScript-set cookies to 7 days via ITP regardless of this setting. Other privacy-focused browsers may impose similar restrictions. See Safari Cookies for details and workarounds.
Session timeout
The session timeout is 30 minutes, matching Google Analytics’ session definition. If a visitor is inactive for longer than this, their next page view counts as a new session, incrementing the st_visits counter. This value is not configurable.
Cookie domain
The cookie domain is auto-detected from the current hostname. SourceTag extracts the root domain (e.g. example.com from www.example.com or blog.example.com) and sets the cookie on .example.com. This means subdomains automatically share the same cookie without any manual configuration.
Secure flag and SameSite
On HTTPS sites, the cookie is set with the Secure flag, meaning it’s only sent over encrypted connections. The SameSite attribute is set to Lax, which prevents the cookie from being sent on cross-site requests (protecting against CSRF) while still allowing it to be sent on normal top-level navigations.
What the cookie stores
The _sourcetag cookie contains a JSON object with the following structure. You can inspect it in your browser’s developer tools (Application > Cookies).
| Top-level key | Description |
|---|---|
fc | First click touch data (set once, never overwritten) |
lc | Last click touch data (updated on each new visit with attribution data) |
visits | Total number of sessions |
firstVisit | Timestamp of the very first visit |
lastSeen | Timestamp of the most recent page view |
Each touch object (fc and lc) contains: channel, d1-d4 (smart fields), source, medium, campaign, term, content, lp (landing page), clickId, clickIdType, clickIds, refDomain, ts (timestamp), and cp (custom parameters, if configured).
You can inspect the cookie in your browser dev tools: Application tab > Cookies > select your domain > find _sourcetag.
Note: The www. prefix is automatically stripped from referrer domains. A referrer of www.facebook.com is stored as facebook.com.
Key properties
fc(first click): The touch data from the visitor’s first-ever visit. This is set once and never overwritten.lc(last click): The touch data from the most recent visit that had new attribution data (UTMs, click IDs, custom parameters, or an external referrer). Updated on each qualifying visit.visits: Running count of sessions. Incremented each time the visitor returns after the session timeout has elapsed.firstVisit: Unix timestamp (milliseconds) of the very first visit.lastSeen: Unix timestamp (milliseconds) of the most recent page view. Used to calculate session boundaries.
Touch object properties
Each touch (fc and lc) contains:
| Property | Description |
|---|---|
channel | Categorised channel name |
d1 through d4 | Detail field values (content depends on channel) |
source | Raw utm_source value |
medium | Raw utm_medium value |
campaign | Raw utm_campaign value |
term | Raw utm_term value |
content | Raw utm_content value |
lp | Full landing page path and query string |
clickId | Primary click ID value |
clickIdType | Primary click ID type (gclid, fbclid, etc.) |
clickIds | All detected click IDs as key-value pairs |
refDomain | Referrer domain |
ts | Timestamp of this touch (Unix ms) |
cp | Custom parameter values as key-value pairs (only present if custom parameters are configured and detected in the URL) |
Cookie size
The cookie is typically 1-3 KB depending on how much attribution data is captured. URL-encoded JSON can be larger. Browsers generally allow up to 4 KB per cookie, so this stays well within limits for most cases.
If you’re capturing very long campaign names or landing page URLs, keep an eye on the cookie size. You can inspect it in your browser’s developer tools under Application > Cookies.
Cookie scope
The cookie is set with path=/, SameSite=Lax, and the Secure flag (on HTTPS sites). The cookie domain is auto-detected to the root domain. This means:
- It’s accessible on all pages of the current domain and its subdomains
- It’s not sent on cross-site requests (protecting against CSRF)
- On HTTPS, it’s only transmitted over encrypted connections
- It’s a first-party cookie (set by JavaScript running on your domain)
The cookie does not cross between different top-level domains. If you run example.com and myotherbrand.com, each will have its own cookie. However, subdomains like www.example.com and blog.example.com share the same cookie automatically. See Cross-Domain and Subdomains for more detail.
Doesn't answer your question or need more help? Get in touch.