posthog-js icon indicating copy to clipboard operation
posthog-js copied to clipboard
verified publisher icon PostHog

Cross-Domain cookie storage (SameSite=None)

Open mariusandra opened this issue 5 years ago • 2 comments

There are cases when you would like to track your users across multiple domains. We currently allow cross-subdomain cookies, but not cross-domain cookies. It's a bit more work to set them up, but the effort might be worth it.

Here's a regular ph_* cookie that we use to store the session data for https://kea.js.org/

image

It's stored on the ".kea.js.org" domain.

The "array.js" script is however loaded from "app.posthog.com" and contains a cookie that's pegged to it:

image

We could also store the session cookie, or a lighter version of it, against the "app.posthog.com" domain and thus have cross-domain sessions. A library like xdomain-cookies could help with that.

Some things to consider:

  • You can disable cross domain cookies in the browser settings and we must have a fallback in case that's so. It's bad if we lose all persistence because of this.
  • We must be careful not to mix accounts on app. We have multiple teams on app, and they should all have different cookies. It wouldn't be great if your site can read what other sites you use posthog on.

Additional context: this came out when talking to a user request in the users chat.

An alternative option to share the session is to do what google analytics does and add #posthog=ID to the end of every clicked link to any domain of yours. Probably not what we want to do though.

mariusandra avatar Jan 07 '21 14:01 mariusandra

Thanks for raising this @mariusandra

My current method for doing this is:

     (function wait_for_posthog() {
        if (window.posthog.__loaded === true) {
          write_links();
        } else {
          setTimeout(wait_for_posthog, 10);
        }
      })();

write_links adds ph_id to the outbound link from window.posthog.persistence.props.distinct_id

The issue with this method is that there is a period of time on slow connections/devices before the links get re-written meaning the attribution gets lost in some cases.

Relevant slack conversation: https://posthogusers.slack.com/archives/CT7HXDEG3/p1610027329463500

reedox avatar Jan 07 '21 14:01 reedox

Just search across issues and found this. We have a similar use case.

Context

Our landing page and application are on different domains. And we want to track across our landing page and application.

Questions

  • Do we only need to set ph_id on the link to our application? Will Posthog automatically pick it up?
  • Is there anything else that we need to do/notice?

DanSnow avatar Aug 29 '22 11:08 DanSnow