Adobe Target cookies

Adobe Target uses cookies to give website operators the ability to test which online content and offers are more relevant to visitors.

The information in this article only applies to the Adobe Target JavaScript library (at.js). See Adobe Experience Platform Web SDK cookies for information on Target implementations using the Web SDK.
You can change settings discussed in this article if needed, except for the cookie duration. Consult your account representative when changing cookie settings.

First-party cookies

The following first-party cookies are stored on the customer’s domain:


Stores anonymous identifiers about the visitor.

Cookie domain: The domain from which you serve the mbox. Because this cookie is served from your company’s domain, the cookie is a first-party cookie. If any of your domain names include a country code, such as, work with Client Services to configure at.js to support this code. For information about customizing the cookie domain, if necessary, see cookieDomain under targetGlobalSettings in the Adobe Target developer guide.

Server domain:, using the client code for your Adobe Target account.

Cookie duration: The cookie remains on the visitor’s browser two years from the last login. You cannot change the cookie duration.

The cookie keeps some values to manage how your visitors experience Target activities:

session ID: A unique identifier for a given user session. By default the session expires after 30 minutes of inactivity. If you are generating sessionId yourself (for example, for server-side implementations), ensure the following:

  • The session ID can be any printable string except a space, question mark ( ? ), or a forward slash ( / ).
  • The session ID should be from 1 to 128 characters in length.
  • For a particular session, the cookie’s value must stay the same across multiple requests.
  • You should never have parallel sessions (distinct sessionIds) for a given visitor at any point in time.

Routing to a particular node in the edge cluster is done using session ID.

  • The session is active for 30 minutes on the server side. Therefore, you shouldn’t use a different session Id for a particular tntId/thirdPartyId within 30 minutes of the last request made with the tntId/thirdPartyId. Otherwise, changes to the profile could be inconsistent and unpredictable.
  • A new session ID must be used after thirty minutes of inactivity from a visitor.
  • Using the same session ID with multiple tntIds/thirdPartyIds can cause unpredictable changes to the profiles identified by the tntId/thirdPartyIDs.

NOTE: See limit on number of concurrent requests for a given session ID.

pc ID: A semi-permanent ID for a visitor’s browser. Lasts until cookies are manually deleted.

check: A simple test value used to determine if a visitor supports cookies. Set each time a visitor requests a page.

disable: Set if a visitor’s load time exceeds the timeout configured in the at.js file. By default, this timeout lasts one hour.

Temporary cookie to check if the cookie read/write capability is enabled on the browser.
This cookies is only present when/if overrideMboxEdgeServer setting is set to true.

It is not possible to use HTTPOnly on the these first-party cookies. The at.js JavaScript library needs to read/write to these cookies. These cookies are created by at.js and are not set from the server.

The secure setting can be enabled on all of these cookies using the secureOnly: true configuration in at.js.

Third-party cookies

Adobe Target users can create customized third-party cookies. The following third-party cookies are stored on

Present if cross domain is enabled.
Present if cross domain is enabled.

These third-party cookies are HTTPOnly out of the box and are set by Adobe Target data collection servers.

The secure setting can be enabled on all of the cookies using the secureOnly: true configuration in at.js.