> This leaks session cookies for your domain to Google in a way GTM did not previously capture.
Only if you set up your session handler to emit cookies that apply to all subdomains instead of using the __Host- prefix and the SameSite=strict attribute [1].
I think the load balancer is the one forwarding all cookies to Google with this configuration. The browser has already sent this to your own domain/LB as first-party mode introduces yourdomain.com/page and yourdomain.com/metrics.
I don't think this would prevent the session cookie from being sent to tag manager. The tag manager document describes setting up a specific path on the website's normal domain, not using a subdomain.
This is incorrect, the documentation in the article involves configuring an L7 load balancer to route a path on the same domain as the origin to Google Tag Manager. This means even `SameSite=strict`, `Secure`, `HttpOnly` cookies will be sent to GTM, if the instruction I quoted is followed to pass all cookies and query strings.
It's weird that the document specifically says "all cookies" - that gives GTM access to every cookie sent to your application.
Only if you set up your session handler to emit cookies that apply to all subdomains instead of using the __Host- prefix and the SameSite=strict attribute [1].
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se...