Browser Cookie Updates: How Marketo/Munchkin Is Affected

Update May 2021:

Due to the release of CNAME Cloaking Defense with IOS and Safari 14 Munchkin cookies will be capped to a 7 day lifespan in Safari .


What’s changing?

On February 21, 2019, Webkit announced the new release of Safari’s Intelligent Tracking Prevention (ITP), known as ITP 2.1 and ITP 2.2 shortly thereafter. With ITP 2.x, all persistent client-side cookies, i.e., non-session cookies created via JavaScript through document.cookie, are capped to a seven-day or one-day expiry.  Mozilla Firefox and Google Chrome have also announced their intent to conform to these new policies, though no details or dates have been released.


How does this impact Marketo?

As a result of these changes to cookie policy, 7 days after their initial tracked visit to your domain, the Munchkin cookies of visitors using Safari (or future affected browser versions) created with the existing versions of Munchkin JavaScript will expire, and on subsequent visits they will be tracked as a new visitor.


How does Munchkin operate?

On a person’s first visit to a page on your domain, a new anonymous person record is created in Marketo. The primary key for this record is the Munchkin cookie (_mkto_trk) which is created in the user’s browser.  All subsequent web activity on that browser is recorded against this anonymous record.  In order to be associated with a known record in Marketo, one of the following methods should be used:

  • The person may visit a Munchkin-tracked page with a mkt_tok parameter in the query string from a tracked Marketo email link.
  • The person may fill out a Marketo Form.
  • REST Associate Lead call must be sent.


Once one of these actions is completed, the cookie and all its associated web activity will be associated with the known record.


How is Marketo planning to address ITP concerns?

Marketo will implement a new web service to allow Munchkin cookies to be set with a Set-Cookie header via HTTP response, so that they may bypass the 7-day expiry cap imposed when setting cookies via JavaScript.


Do I need to do anything to take advantage of these updates?

In order to leverage the new behavior and take advantage of the greater expiry period and tracking capabilities, ensure that you have configured the following:

  • A Landing Page CNAME
  • Secured Landing Pages (i.e. HTTPS)
  • For external pages, you must have configured a Landing Page Domain or Domain Alias with a Top-Level Domain (TLD) matching the external domains which you wish to track
    • For example, if you have pages on the domain which are tracked, you must have configured an LP Domain or Alias which is a subdomain of, like


What happens if I do nothing?

Munchkin’s ability to track users across sessions on the same domain will remain limited by ITP to either 1 or 7 days based on the browser and browser version used by the visitor. As of this posting, this only affects visitors using the Safari browser, although Chrome & Firefox may follow suit with their own versions.


When will the solution be launched?

These changes will begin as a staggered roll-out to customers who have opted into the Munchkin Beta channel in conjunction with the January 2020 Marketo release. Once the solution has been released to all beta customers, the roll-out to our entire customer base will begin in mid-to-late February. All customers should expect to have the solution by end of March 2020.


Google Chrome Update (Feb. 2020):

Google recently announced that the Chrome browser will block all third-party cookies within two years; however, since Marketo uses 1st party cookies, this update regarding 3rd party cookies will NOT affect your Marketo tracking efforts. For further context about 3rd party cookies in general, and the industry shift away from using them, please see the following article for Adobe's stance across the Experience Cloud Solutions:

Labels (1)