I think this topic was discussed years ago, but I do get negativ security points via Mozillas observatory when delivering first party tracking cookies without the secure flag.
I think it should be possible to enable that plag on a per website basis. Most websites I setup are SSL only, a request to non encrypted pages gets redirected to ssl and that ist the recommended canonical url for every page. So I don't need any sharing of session tracking cookies between http and https.
Thanks for the suggestion @kkretsch - I think we'd need a new method in the piwik.js tracker code eg.
setSecureCookies and then we'd simply need to set the
secure parameter to 1 in the
setCookie() function calls. Would be easy to implement :+1:
Hi! Can I work on this?
Hi @mattab! As I am new here I'm little bit lost yet.
Then envinronment is up and running. I've wrote the
setSecureCookies() method and the tests for it but I'm not shure about its content yet. Would it just call the
setCookie() with one more parameter (1 in the case)? Thanks!
@dudu84 setSecureCookies would set the internal variable to 1, and then in setCookie() you'll check this variable, and if it is set then you set the secure cookie flag
Note: this feature wasn't working, but this PR hopefully fixes it: #12355
This time it is working according to user in the forums.