@85pando opened this Issue on May 18th 2016

We use Piwik with the cookies disabled: use_third_party_id_cookie = 0 and _paq.push(['disableCookies']); (trying not to have to display those stupid EU-warnings about Cookies).

Unfortunately it seems the case that there is some mixup. If "do not track" is disabled in the browser everything is fine, if it is enabled a Cookie is set.
I think the idea of this cookie is to "delete" cookies that might have been set before, as the expiration is before the cookie is actually set. If this is the case, the correspoding page in the FAQ should probably be updated to include this.

piwik-cookie

Piwik version is 2.16.1.

@tsteur commented on May 22nd 2016 Member

The cookie should be set with a date in the past and be deleted immediately. This "delete" cookie is basically set to delete any existing cookies. We could make it a bit smarter and set the delete cookie only if one is actually set currently which is likely the case unless disableCookies was called before like in your case.

Solution would be to send along the tracking request whether cookies are disabled and then consider this server side as well.

@85pando commented on May 23rd 2016

This "delete" cookie is basically set to delete any existing cookies.

That's what I thought it's for (-:

The cookie should be set with a date in the past and be deleted
immediately.

In Firefox that's true, in Chrome however the expired cookie is stored.
We just want to prevent those EU-cookie-warnings, so we'd rather have no
cookies at all.

Solution would be to send along the tracking request whether cookies
are disabled and then consider this server side as well.

Another idea would be to make disable-cookies an enum with {false | delete | true} or add a second flag like disable-delete-cookies or something like that. In this way the server admin could decide, what
should be used.

@tsteur commented on May 23rd 2016 Member

A workaround so far would be maybe to call deleteCookies after each tracking request. Eg _paq.push(['trackPageview']);_paq.push(['deleteCookies']) but I haven't tried whether it actually works.

@85pando commented on May 24th 2016

To clarify, the cookie is not set in Chrome but it is displayed in the cookie list with a 2015 expiration date. There certainly is a valid use case for the pk_uid=deleted cookie, namely to delete a cookie that was previously set.
However, for sites like ours that have never set such a cookie in the past, this is unnecessary. We fear that users who check if the site sets any cookies, will just see that there is a cookie being set and are not looking at the expiration date.

We will try you workaround suggestion and get back here.

@85pando commented on May 27th 2016

Can confirm that this prevents storage of the cookie as a workaround.

@85pando commented on May 30th 2016

Alternatively, my collegue also added this to the virtual host of the piwik server (Apache) before I set _paq.push(['deleteCookies']):

<VirtualHost […]>
    ServerName piwik.[…]
    […]
    SetEnvIf Request_URI "^/piwik\.php" is_tracker
    Header unset Set-Cookie env=is_tracker
</VirtualHost>
Powered by GitHub Issue Mirror