Configuration
Cookie Settings
SourceTag stores attribution data in a first-party cookie on your domain. This page covers the default settings, what the cookie contains, and how to change the configuration.
Default settings
| Setting | Default value | Description |
|---|---|---|
| Cookie name | _sourcetag | The name of the cookie set on your domain |
| Cookie lifetime | 400 days | How long the cookie persists in the browser |
| Cookie domain | Auto-detected | Set to the root domain for subdomain support |
| Secure flag | Set on HTTPS | Cookie only sent over encrypted connections |
| SameSite | Lax | Protects against CSRF while allowing normal navigation |
| Session timeout | 30 minutes (1,800,000 ms) | How long before a period of inactivity counts as a new session |
Changing cookie settings
You can change these values in the SourceTag dashboard:
- Go to your site’s Settings page in the dashboard
- Update the values under the Cookie Configuration section
- Click Save
- Click Generate Script to rebuild and redeploy your tracking script
The new values are baked into the script configuration, so you must regenerate the script for changes to take effect.
[IMAGE: Screenshot of the SourceTag dashboard Cookie Configuration section showing the cookie name and lifetime fields]
Cookie name
The default cookie name is _sourcetag. You might want to change this if:
- Your cookie consent tool needs a specific naming convention
- You’re running multiple SourceTag instances (e.g. separate sites on subdomains) and want distinct cookies
- Your organisation has naming standards for first-party cookies
Choose something descriptive. Avoid names that conflict with other cookies on your domain.
Cookie lifetime
The default is 400 days. This means if a visitor comes to your site and doesn’t return for a year, their attribution data will still be available when they come back.
You might want to shorten this if:
- Your sales cycle is short and old data isn’t relevant
- You want to comply with regional cookie regulations that recommend shorter lifetimes
You might want to lengthen this for long B2B sales cycles where leads may not convert for months.
Note: Safari, Brave, and other privacy-focused browsers limit JavaScript-set cookies to 7 days regardless of this setting. See Safari Cookies for details and workarounds.
Session timeout
The session timeout is 30 minutes, matching Google Analytics’ session definition. If a visitor is inactive for longer than this, their next page view counts as a new session, incrementing the st_visits counter. This value is not configurable.
Cookie domain
The cookie domain is auto-detected from the current hostname. SourceTag extracts the root domain (e.g. example.com from www.example.com or blog.example.com) and sets the cookie on .example.com. This means subdomains automatically share the same cookie without any manual configuration.
Secure flag and SameSite
On HTTPS sites, the cookie is set with the Secure flag, meaning it’s only sent over encrypted connections. The SameSite attribute is set to Lax, which prevents the cookie from being sent on cross-site requests (protecting against CSRF) while still allowing it to be sent on normal top-level navigations.
What the cookie stores
The _sourcetag cookie contains a JSON object with the following structure. You can inspect it in your browser’s developer tools (Application > Cookies).
| Top-level key | Description |
|---|---|
fc | First contact touch data (set once, never overwritten) |
lc | Last contact touch data (updated on each new visit with attribution data) |
visits | Total number of sessions |
firstVisit | Timestamp of the very first visit |
lastSeen | Timestamp of the most recent page view |
Each touch object (fc and lc) contains: channel, d1-d4 (detail fields), source, medium, campaign, term, content, lp (landing page), lpg (landing page group), clickId, clickIdType, clickIds, refDomain, ts (timestamp).
You can inspect the cookie in your browser dev tools: Application tab > Cookies > select your domain > find _sourcetag.
Note: The www. prefix is automatically stripped from referrer domains. A referrer of www.facebook.com is stored as facebook.com.
Key properties
fc(first contact): The touch data from the visitor’s first-ever visit. This is set once and never overwritten.lc(last contact): The touch data from the most recent visit that had new attribution data (UTMs, click IDs, or an external referrer). Updated on each qualifying visit.visits: Running count of sessions. Incremented each time the visitor returns after the session timeout has elapsed.firstVisit: Unix timestamp (milliseconds) of the very first visit.lastSeen: Unix timestamp (milliseconds) of the most recent page view. Used to calculate session boundaries.
Touch object properties
Each touch (fc and lc) contains:
| Property | Description |
|---|---|
channel | Categorised channel name |
d1 through d4 | Detail field values (content depends on channel) |
source | Raw utm_source value |
medium | Raw utm_medium value |
campaign | Raw utm_campaign value |
term | Raw utm_term value |
content | Raw utm_content value |
lp | Full landing page path and query string |
lpg | Landing page group (first path segment) |
clickId | Primary click ID value |
clickIdType | Primary click ID type (gclid, fbclid, etc.) |
clickIds | All detected click IDs as key-value pairs |
refDomain | Referrer domain |
ts | Timestamp of this touch (Unix ms) |
Cookie size
The cookie is typically 1-3 KB depending on how much attribution data is captured. URL-encoded JSON can be larger. Browsers generally allow up to 4 KB per cookie, so this stays well within limits for most cases.
If you’re capturing very long campaign names or landing page URLs, keep an eye on the cookie size. You can inspect it in your browser’s developer tools under Application > Cookies.
[IMAGE: Screenshot of browser developer tools showing the _sourcetag cookie and its value in the Application > Cookies panel]
Cookie scope
The cookie is set with path=/, SameSite=Lax, and the Secure flag (on HTTPS sites). The cookie domain is auto-detected to the root domain. This means:
- It’s accessible on all pages of the current domain and its subdomains
- It’s not sent on cross-site requests (protecting against CSRF)
- On HTTPS, it’s only transmitted over encrypted connections
- It’s a first-party cookie (set by JavaScript running on your domain)
The cookie does not cross between different top-level domains. If you run example.com and myotherbrand.com, each will have its own cookie. However, subdomains like www.example.com and blog.example.com share the same cookie automatically. See Cross-Domain and Subdomains for more detail.