When using the form to opt-out of tracking (tested on https://matomo.org/privacy-policy/):
PIWIK_SESSID cookie is removed from my browser.
PIWIK_SESSID cookie remains with its previous value.
We have tested this on our own install and the opt out mechanism works, in the fact that this user's sessions do not appear in the dashboard. However, there are two primary concerns:
piwik_ignorecookie. The Privacy by Design approach would be to unset the session cookie, then every user can be sure that the identifier is no longer present.
Therefore, it would be preferable if the server would remove/reset the
PIWIK_SESSID cookie on opt-out, and enforce that this cookie does not persist. This would meet the goal on both sides: that the user can trust the opt-out mechanism, and that the administrator can prove compliance with user consent.
Why should the
PIWIK_SESSID cookie be removed when you choose to opt out?
PIWIK_SESSID cookie is set when you log into Piwik, so it's the session cookie for Piwik users, not for people getting tracked. I don't think it make sense to log someone out of Piwik if he choose to opt out.
I would hate to be logged out of piwik everytime I visit one of our sites where I opted out.
Ok, so it seems I mixed up the purposes of the different cookies set, I simply assumed that
PIWIK_SESSID was the tracking cookie because it was set for me. This actually uncovers a second issue that when visiting a page containing the opt out frame I am given a
PIWIK_SESSID cookie. With a clean profile, when visiting https://matomo.org/privacy-policy/ I get this cookie, despite not being an administrator of this matomo instance. This session ID is sent with all subsequent requests in the session.
The original issue is still valid, but the cookie which should be unset is the tracking cookie, which appears to be
To summarise, the two issues are:
PIWIK_SESSIDcookie for normal users.
_pk_id.1.f3f2), which remains and will not expire for over a year.
1.) You're right. Seems Matomos opt out page sends a session cookie. Which should definitely be unneeded.
2.) Right. The cookie isn't removed. Need to check why this is the case, but don't think the cookie should be needed for anything after opting out.
Obviously, the problem still exists on version 3.5.0.
I would feel better when this "bug" was fix until the DSGVO comes...
Is there any news about that case?
I've checked the opt out frame again. And the session cookie is needed indeed. The form currently includes a CSRF protection nonce, which requires a short time session storage. Nothing else should be stored in the session unless someone was logged in Matomo before.
We got a security report (see below) that maybe the Opt-out is not fully protected by a CSRK nonce token?
CSRF user can be opted-in or opted-out using
so we should ideally ensure that the opt-out / opt-in cannot be vulnerable to CSRF.
Then we could close this issue.