Just asking: Has this cookie the need to be changed via JS? If not, please also set HttpOnly!
We currently don't do that in core. Not sure if there are any plugins doing that, which might break then...
Can we make this the default in
Cookie.php (ie, setting to
ProxyHttp::isHttps())? I can't think of a case where we'd want a cookie to be sent over HTTP if matomo is on HTTPS, so I don't think there's a chance of BC break.
@diosmosis Don't we use the same methods in Tracker? I wonder if we don't need HTTP cookies while tracking in some cases. e.g. Matomo runs on HTTP and HTTPS and the website includes both (based on the current protocol). Tracking cookies set on HTTPS should then also be valid for HTTP, right?
Yes that makes sense to me, tracker cookies should be applied regardless of protocol... I guess we could change each individual use to be explicit, but that seems like a bit of work. I'll merge this one 👍