Adobe Target cookies

Last update: 2023-06-12
  • Topics:
  • Cookies
    View more on this topic
  • Created for:
  • Experienced

Adobe Target uses cookies to give website operators the ability to test which online content and offers are more relevant to visitors.


The information in this article applies to the Target at.js JavaScript library only.

For information about cookies used in a Target implementation using the Adobe Experience Platform Web SDK, see “Does the Adobe Experience Platform Web SDK use cookies? If so, what cookies does it use?” in Frequently Asked questions in the DNL Platform Web SDK overview guide.

You can change settings discussed in this article if needed, except for the cookie duration. Consult your account representative when changing cookie settings.

Target users can also create customized third-party cookies.

First-party cookies

The following first-party cookies are stored on the customer’s domain:

Cookie Details
mbox Stores anonymous identifiers about the visitor.

Cookie domain: The domain from which you serve the mbox. Because this cookie is served from your company’s domain, the cookie is a first-party cookie. Example: If any of your domain names include a country code, such as, work with your Client Services to configure at.js to support this code. For information about customizing the cookie domain, if necessary, see “cookieDomain” under targetGlobalSettings in the Adobe Target Developer Guide.

Server domain:, using the client code for your Target account.

Cookie duration: The cookie remains on the visitor’s browser two years from the last login. You cannot change the cookie duration.

The cookie keeps some values to manage how your visitors experience Target activities:

session ID: A unique identifier for a given user session. By default the session expires after 30 minutes of inactivity. If you are generating sessionId yourself (for example, for server-side implementations), ensure the following:

  • The session ID can be any printable string except a space, question mark ( ? ), or a forward slash ( / ).
  • The session ID should be from 1 to 128 characters in length.
  • For a particular session, the cookie’s value must stay the same across multiple requests.
  • You should never have parallel sessions (distinct sessionIds) for a given visitor at any point in time.
Routing to a particular node in the edge cluster is done using session ID.
  • The session is active for 30 minutes on the server side. Therefore, you shouldn’t use a different session Id for a particular tntId/thirdPartyId within 30 minutes of the last request made with the tntId/thirdPartyId. Otherwise, changes to the profile could be inconsistent and unpredictable.
  • A new session ID must be used after thirty minutes of inactivity from a visitor.
  • Using the same session ID with multiple tntIds/thirdPartyIds can cause unpredictable changes to the profiles identified by the tntId/thirdPartyIDs.
NOTE: See limit on number of concurrent requests for a given session ID.

pc ID: A semi-permanent ID for a visitor’s browser. Lasts until cookies are manually deleted.

check: A simple test value used to determine if a visitor supports cookies. Set each time a visitor requests a page.

disable: Set if a visitor’s load time exceeds the timeout configured in the at.js file. By default, this timeout lasts one hour.

at_check Temporary cookie to check if the cookie read/write capability is enabled on the browser.
mboxEdgeCluster This cookies is only present when/if overrideMboxEdgeServer setting is set to true.

It is not possible to use HTTPOnly on the these first-party cookies. The at.js JavaScript library needs to read/write to these cookies. These cookies are created by at.js and are not set from the server.

The secure setting can be enabled on all of these cookies using the secureOnly: true configuration in the at.js implementation.

Third-party cookies

The following third-party cookies are stored on

Cookie Details
customerclientcode!mboxPC This cookie is present if cross domain is enabled.
customerclientcode!mboxSession This cookie is present if cross domain is enabled.

These third-party cookies are HTTPOnly out of the box and are set by the Target edge servers.

The secure setting can be enabled on all of the cookies using the secureOnly: true configuration in the at.js implementation.

On this page