@sgiehl opened this Pull Request on June 25th 2018 Member

refs #12841

@fdellwing commented on June 25th 2018 Contributor

Just asking: Has this cookie the need to be changed via JS? If not, please also set HttpOnly!

@sgiehl commented on June 25th 2018 Member

We currently don't do that in core. Not sure if there are any plugins doing that, which might break then...

@diosmosis commented on June 25th 2018 Member

Can we make this the default in Cookie.php (ie, setting to ProxyHttp::isHttps())? I can't think of a case where we'd want a cookie to be sent over HTTP if matomo is on HTTPS, so I don't think there's a chance of BC break.

CC @tsteur

@sgiehl commented on July 9th 2018 Member

@diosmosis Don't we use the same methods in Tracker? I wonder if we don't need HTTP cookies while tracking in some cases. e.g. Matomo runs on HTTP and HTTPS and the website includes both (based on the current protocol). Tracking cookies set on HTTPS should then also be valid for HTTP, right?

@diosmosis commented on July 9th 2018 Member

Yes that makes sense to me, tracker cookies should be applied regardless of protocol... I guess we could change each individual use to be explicit, but that seems like a bit of work. I'll merge this one 👍

This Pull Request was closed on July 9th 2018
Powered by GitHub Issue Mirror