New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Opt-out does not unset session ID for CSRF protection #12540
Comments
Why should the |
I would hate to be logged out of piwik everytime I visit one of our sites where I opted out. |
Ok, so it seems I mixed up the purposes of the different cookies set, I simply assumed that The original issue is still valid, but the cookie which should be unset is the tracking cookie, which appears to be To summarise, the two issues are:
|
1.) You're right. Seems Matomos opt out page sends a session cookie. Which should definitely be unneeded. |
Obviously, the problem still exists on version 3.5.0. I would feel better when this "bug" was fix until the DSGVO comes... Is there any news about that case? |
I've checked the opt out frame again. And the session cookie is needed indeed. The form currently includes a CSRF protection nonce, which requires a short time session storage. Nothing else should be stored in the session unless someone was logged in Matomo before. |
We got a security report (see below) that maybe the Opt-out is not fully protected by a CSRK nonce token? CSRF user can be opted-in or opted-out using so we should ideally ensure that the opt-out / opt-in cannot be vulnerable to CSRF. |
The scope of this issue is simply to verify and confirm that the opt-out / opt-in isn't vulnerable to CSRF. |
When using the form to opt-out of tracking (tested on https://matomo.org/privacy-policy/):
Expected behaviour
The
PIWIK_SESSID
cookie is removed from my browser.Actual behaviour
The
PIWIK_SESSID
cookie remains with its previous value.Discussion
We have tested this on our own install and the opt out mechanism works, in the fact that this user's sessions do not appear in the dashboard. However, there are two primary concerns:
piwik_ignore
cookie. The Privacy by Design approach would be to unset the session cookie, then every user can be sure that the identifier is no longer present.Therefore, it would be preferable if the server would remove/reset the
PIWIK_SESSID
cookie on opt-out, and enforce that this cookie does not persist. This would meet the goal on both sides: that the user can trust the opt-out mechanism, and that the administrator can prove compliance with user consent.The text was updated successfully, but these errors were encountered: