Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use secure lang cookie when using https #13104

Merged
merged 1 commit into from Jul 9, 2018
Merged

Use secure lang cookie when using https #13104

merged 1 commit into from Jul 9, 2018

Conversation

sgiehl
Copy link
Member

@sgiehl sgiehl commented Jun 25, 2018

refs #12841

@sgiehl sgiehl added not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Needs Review PRs that need a code review labels Jun 25, 2018
@sgiehl sgiehl added this to the 3.6.0 milestone Jun 25, 2018
@fdellwing
Copy link
Contributor

Just asking: Has this cookie the need to be changed via JS? If not, please also set HttpOnly!

@sgiehl
Copy link
Member Author

sgiehl commented Jun 25, 2018

We currently don't do that in core. Not sure if there are any plugins doing that, which might break then...

@diosmosis
Copy link
Member

Can we make this the default in Cookie.php (ie, setting to ProxyHttp::isHttps())? I can't think of a case where we'd want a cookie to be sent over HTTP if matomo is on HTTPS, so I don't think there's a chance of BC break.

CC @tsteur

@sgiehl
Copy link
Member Author

sgiehl commented Jul 9, 2018

@diosmosis Don't we use the same methods in Tracker? I wonder if we don't need HTTP cookies while tracking in some cases. e.g. Matomo runs on HTTP and HTTPS and the website includes both (based on the current protocol). Tracking cookies set on HTTPS should then also be valid for HTTP, right?

@diosmosis
Copy link
Member

Yes that makes sense to me, tracker cookies should be applied regardless of protocol... I guess we could change each individual use to be explicit, but that seems like a bit of work. I'll merge this one 👍

@diosmosis diosmosis merged commit 844e123 into 3.x-dev Jul 9, 2018
@diosmosis diosmosis deleted the securelangcookie branch July 9, 2018 19:34
InfinityVoid pushed a commit to InfinityVoid/matomo that referenced this pull request Oct 11, 2018
@sgiehl @InfinityVoid
Use secure lang cookie when using https (matomo-org#13104)
a734739
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
3.6.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sgiehl @fdellwing @diosmosis