Why Fullstory uses First-Party Cookies

The Fullstory data capture script sets three first-party cookies containing your end-user’s fs_uid, fs_cid, and fs_lua when capturing their activities on your site. The fs_uid cookie uses your domain as the host, instead of “fullstory.com,” which is what distinguishes it as a first-party cookie. The fs_cid is a cookie that stores the user's consent state. The fs_lua is a cookie that captures the timestamp of the user's last action. First-party cookies come with a variety of benefits over third-party cookies, both for you and your users.

Why first-party cookies matter to your users

Cookies are tiny pieces of identifying information, like digital name tags, that are stored on a user’s computer. When a user wants to access your website or app, their browser sends the cookie as part of their request to your server, as if to say, “Hello! It’s me again!” This is how your servers know whether to send back stateful information, such as items in an online shopping cart, or sensitive information about the user’s account (if they’re logged in).

The user’s browser will only send up a cookie that matches a domain it’s trying to access. If they’re trying to load the website “example.com,” the browser will send up any cookies that have “example.com” as their host. This prevents other websites from reading any information on cookies that don’t pertain to them, thus protecting the user’s sensitive information from prying eyes.

Importantly, this means an end user’s identity cannot be connected between multiple sites using Fullstory. Each site sets a separate fs_uid cookie which can only be read by that site. Your customers don’t have to worry that Fullstory is using their data to build profiles for sale or for ad delivery purposes—we couldn’t, even if we wanted to, which we don’t.

Why first-party cookies matter to you

Frankly, several browsers and even more browser extensions are set by default to block third-party cookies. That’s not without good reason: third-party cookies are most famously set by ad networks and are used to covertly build profiles of users’ activities all over the Internet. Most people fall into the categories of not knowing or caring about this type of tracking, but the segment of users who know, care, and actively avoid being tracked is growing.

We know you’re using Fullstory to make your site better for your users, and we don’t want your fs_uid cookie to get caught up erroneously in third-party cookie blockers. So we only use first-party cookies. It’s a win-win situation: a better guarantee of privacy for your users, and a higher effective rate of cookie-setting for you!

What cookies does Fullstory use?

Name Duration Use case
fs_uid Expires after 1 year The 'fs_uid' cookie can be thought of as the capture cookie. When an end-user visits a customer's site, that cookie is used to track the user across sessions and pages. The same user may visit a site multiple times and may navigate to many pages within a single session. This cookie ensures that all captured session traffic is associated with one user. A session cannot be captured without this cookie and the users anonymized visit will not be logged.
fs_session 30 days The session cookie for the Fullstory Web Application (app.fullstory.com). It maintains an authenticated user's session. Specific only to admins and users of the Fullstory application, not end users.
fs_csrftoken 30 days Used to prevent cross-site request forgery. Specific only to admins and users of the Fullstory application, not end users.
fs_trusted_device 60 days Once verification succeeds, this cookie is set so that the user will not have to verify a device on every login attempt. This is specific only to admins and users of the Fullstory application, and not end users.
fs_last_activity Expires when the session/browser closes Records the timestamp of the last action the user took within the web application. It is used to assist with session timeouts. Specific only to admins and users of the Fullstory application, not end users.
fs_cid Expires after 1 year Stores the consent state for this device. For more on consent state see: https://help.fullstory.com/hc/en-us/articles/360020623254-FS-consent-Capture-elements-with-consent
_fs_tab_id Expires when the tab is closed Support multi-tab playback, provides a unique ID to each tab. Note that this is technically not a cookie, but a form of sessionStorage: https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
fs_lua Expires after 30 mins Captures the timestamp of the last user action. It is used to assist with the Fullstory session lifecycle, ensuring user activity extends the session. See "What defines a session in Fullstory?" for more info on the session lifecycle.

Need to get in touch with us?

The Fullstory Team awaits your every question.

Ask the Community Technical Support