How to configure HTTP Consent Cookies (CDN)

Configure our unique HTTP Consent Cookies feature with Cloudflare

Last updated About 3 hours ago

Ensure long-lived consent consent storage via the Consent Studio CMP HTTP Consent Cookies feature

Consent Studio sets cookies to store a cached version of a user's consent state and their Consent ID.

What are HTTP Consent Cookies?

It's a feature exclusive to Consent Studio Web CMP that makes a visitor's consent choice "stick" for longer, especially in browsers with aggressive tracking prevention.

Normally the consent banner stores its state (which categories were accepted, the consent ID, and the timestamp) in cookies written by JavaScript in the browser. Browsers increasingly cap JavaScript-written cookies to a short lifetime (often 7 days), so returning visitors get re-prompted sooner than they should.

HTTP Consent Cookies move that job to the server. Instead of the banner's JavaScript writing the cookies, the consent endpoint sets them through the HTTP response (Set-Cookie) with a 1 year lifetime. Because they are delivered first-party from the visitor's own domain, browsers treat them as long-lived rather than short-lived tracking cookies, so the consent decision survives much longer and visitors are re-asked far less often.

It's delivered one of two ways so the endpoint runs on the customer's own domain:

  • CNAME (consent.yourdomain.com pointing at Consent Studio), or

  • CDN Worker that proxies yourdomain.com/consent-studio/ssc to Consent Studio.

The three cookies it manages are consent-studio__storage (the accepted categories), consent-studio__consent-id (the consent record ID), and consent-studio__consent-timestamp. This makes sure that visitors get presented less consent banners.

How to configure

How to configure HTTP Consent Cookies in Cloudflare

Prerequisites

We will work with a Cloudflare Worker. This requires the following conditions to be met beforehand.

  • You must have Cloudflare set-up as the nameserver for your domain

  • You must have proxy mode enabled in Cloudflare for the domain that corresponds with your Consent Studio property ("site")

Registering the Cloudflare Worker

1. Open the Cloudflare dashboard by going to https://dash.cloudflare.com.

2. Make sure that you are within the target workspace

3. Navigate to Workers & Pages in the Compute (Workers) section of the navigation panel on the left hand side.

4. Select the Hello World template.

5. You will now get a success notification. Click the Edit code button in the top right corner.

6. In the code tab for the worker.js file, paste the code from our Cloudflare Worker repository on Github: https://github.com/vallonic/consent-studio-cloudflare-worker.

7. Press Deploy in the top right corner. Your worker is now available to connect to a domain/route.

Connecting a route to the worker

1. Go to Account home to see all your domains within your workspace. Select the domain that you want to install the worker on.

2. Within the context of a domain, click Workers Routes in the navigation column on the left.

3. Click Add route in the HTTP Routes section.

4. In the modal, use the following pattern for the route value:

[your domain here]/consent-studio/ssc*

Examples:

consent.studio/consent-studio/ssc*
vallonic.com/consent-studio/ssc*

5. In the modal, select the Worker that you have registered as part of "1. Register the Cloudflare Worker".

6. In the modal, click Save

Instructing Consent Studio to use the CDN Worker

1. Open the General Settings panel in the Consent Studio dashboard.

2. Open the HTTP Consent Cookies tab. You may need to horizontally scroll in the tabs list.

3. Make sure that the Enable HTTP Consent Cookies toggle is enabled.

4. Make sure that the Enable HTTP Consent Cookies via a CDN Worker is enabled.

5. Press Save Changes to make the changes definitive.

When Enable HTTP Consent Cookies and Enable HTTP Consent Cookies via a CDN Worker are enabled, but the worker is improperly set-up, you will risk that your consent log will not register newly provided consent and HTTP consent cookies are not set. It is important that you test your configuration right away.

Known limitations

Safari limits CNAME-delivered HTTP Consent Cookies to 7 days

HTTP Consent Cookies can be delivered in two ways: through a CNAME record (for example consent.yourdomain.com) or through a CDN Worker running on your own domain.

When the CNAME method is used, Safari applies its tracking-prevention rules to the consent subdomain and shortens the lifetime of the cookies set through it to 7 days. This is enforced by Safari itself: the cookies are still sent with their full 1 year lifetime, and other browsers such as Chrome and Firefox keep them for the full year. Only Safari (and other WebKit-based browsers on iOS) applies the 7 day limit.

Because the limit comes from Safari, it cannot be changed from the consent banner or from your Consent Studio settings. To keep the full 1 year lifetime in Safari as well, use the CDN Worker method: it serves the cookies from your own domain, so Safari does not treat them as third-party and does not shorten them. The Worker method requires that your platform lets you run a CDN worker on your domain. Some hosted platforms (for example Shopify) do not allow this, and on those platforms the CNAME method stays subject to Safari's 7 day limit.

In other words: the path method is the preferred method.