Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional secure tracker cookie #11410

Closed
kkretsch opened this issue Feb 24, 2017 · 7 comments
Closed

Optional secure tracker cookie #11410

kkretsch opened this issue Feb 24, 2017 · 7 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
Backlog (Help wan...

Comments

@kkretsch
Copy link

I think this topic was discussed years ago, but I do get negativ security points via Mozillas observatory when delivering first party tracking cookies without the secure flag.

I think it should be possible to enable that plag on a per website basis. Most websites I setup are SSL only, a request to non encrypted pages gets redirected to ssl and that ist the recommended canonical url for every page. So I don't need any sharing of session tracking cookies between http and https.
@kkretsch kkretsch changed the title Optinal secure tracker cookie Optional secure tracker cookie Feb 24, 2017
@mattab
Copy link
Member

mattab commented Feb 24, 2017

Thanks for the suggestion @kkretsch - I think we'd need a new method in the piwik.js tracker code eg. setSecureCookies and then we'd simply need to set the secure parameter to 1 in the setCookie() function calls. Would be easy to implement 👍

@mattab mattab added this to the Backlog (Help wanted) milestone Mar 21, 2017
@mattab mattab added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. labels Mar 21, 2017
@ghost
Copy link

ghost commented May 26, 2017

Hi! Can I work on this?

@sgiehl
Copy link
Member

sgiehl commented May 26, 2017

@dudu84 sure, a pull request would be very welcome

@ghost
Copy link

ghost commented May 27, 2017

Hi @mattab! As I am new here I'm little bit lost yet.
Then envinronment is up and running. I've wrote the setSecureCookies() method and the tests for it but I'm not shure about its content yet. Would it just call the setCookie() with one more parameter (1 in the case)? Thanks!

@mattab
Copy link
Member

mattab commented Jun 2, 2017

@dudu84 setSecureCookies would set the internal variable to 1, and then in setCookie() you'll check this variable, and if it is set then you set the secure cookie flag

@ghost ghost mentioned this issue Jun 17, 2017
Closed
@ghost ghost mentioned this issue Aug 2, 2017
Merged
mattab pushed a commit that referenced this issue Aug 3, 2017
@dechristo @mattab
Fix #11410: Optional secure tracker cookie (#11891)
2873206
@mattab mattab added the duplicate For issues that already existed in our issue tracker and were reported previously. label Sep 11, 2017
@mattab mattab mentioned this issue Sep 11, 2017
Merged
@mattab mattab mentioned this issue Dec 13, 2017
Merged
@mattab
Copy link
Member

mattab commented Dec 13, 2017

Note: this feature wasn't working, but this PR hopefully fixes it: #12355

@mattab mattab reopened this Dec 13, 2017
@mattab mattab modified the milestones: Backlog (Help wanted), 3.2.2 Dec 13, 2017
@mattab
Copy link
Member

mattab commented Dec 14, 2017

This time it is working according to user in the forums.

@mattab mattab closed this as completed Dec 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

Successfully merging a pull request may close this issue.

Fix Issue https://github.com/piwik/piwik/issues/11410
3 participants
@mattab @kkretsch @sgiehl