@kkretsch opened this Issue on February 24th 2017

I think this topic was discussed years ago, but I do get negativ security points via Mozillas observatory when delivering first party tracking cookies without the secure flag.

I think it should be possible to enable that plag on a per website basis. Most websites I setup are SSL only, a request to non encrypted pages gets redirected to ssl and that ist the recommended canonical url for every page. So I don't need any sharing of session tracking cookies between http and https.

@mattab commented on February 24th 2017 Owner

Thanks for the suggestion @kkretsch - I think we'd need a new method in the piwik.js tracker code eg. setSecureCookies and then we'd simply need to set the secure parameter to 1 in the setCookie() function calls. Would be easy to implement :+1:

@dudu84 commented on May 26th 2017 Contributor

Hi! Can I work on this?

@sgiehl commented on May 26th 2017 Member

@dudu84 sure, a pull request would be very welcome

@dudu84 commented on May 27th 2017 Contributor

Hi @mattab! As I am new here I'm little bit lost yet.
Then envinronment is up and running. I've wrote the setSecureCookies() method and the tests for it but I'm not shure about its content yet. Would it just call the setCookie() with one more parameter (1 in the case)? Thanks!

@mattab commented on June 2nd 2017 Owner

@dudu84 setSecureCookies would set the internal variable to 1, and then in setCookie() you'll check this variable, and if it is set then you set the secure cookie flag

@mattab commented on December 13th 2017 Owner

Note: this feature wasn't working, but this PR hopefully fixes it: #12355

@mattab commented on December 14th 2017 Owner

This time it is working according to user in the forums.

This Issue was closed on December 14th 2017
Powered by GitHub Issue Mirror