Why don't you whitelist the exact url of the optout you have included?

I already do that, but this always requires the correct order of the parameters in the hope that they would not change. Maybe that's not a real bug, but I find Matomo's behavior strange in this case.

Isn't it kind of common behavior that only the last value of a parameter is used if it is given multiple times?

I think that's PHP itself that doesn't have a specified behavior when multiple GET parameters habe the same key. I guess Matomo just uses what PHP returns in $_GET.

Yes, the interpreter should take care of evaluating the $ _GET parameter. As a framework I would block calls with several same parameters, because the intention of the call is no longer recognizable (did I want to have OptOut or Login page?)

But Matomo has no way to see if a get parameter was specified twice.

<?php
print_r($_GET);

returns only Array ( [key] => somethingelse ) when get.php?key=test&key=somethingelse is requested.

Ok then the behavior as mentioned by @sgiehl is the correct behavior. So that always the last parameter counts. Then I have to exclude in the rewrite that the login module and the default action can be called. Thank you for the clarifying information.

Matomo could check that by looking at $_SERVER['QUERY_STRING'], but imho that is asking for trouble in the future.

Yes, I think that makes things worse. If it is planned then I would be glad to build less complicated rewrites :-)