@MichaelRoosz opened this Pull Request on June 27th 2018 Contributor

When 3rd party cookies (_pk_uid) are enabled and a pageview is tracked to multiple siteids at once, then there is a race condition:

A new user without the 3rd party cookie arrives at page X.
The pageview of X is tracked to siteid A and at the same time to siteid B.
Both track requests do not have the 3rd party cookie set.
When matomo processes these requests, it will use the visitorid that came with the request as visitorid for the 3rd party cookie.
Here is a race condition: one of the requests will win, its visitorid will be the new global visitorid in the 3rd party cookie.
The visitorid of the request that lost remains in the database as an additional visitor+visit, and thus corrupting the data.

My fix:
Set the 3rd party cookie when sending the piwik javascript code (in /js/tracker.php).
This will of course not fix the problem, when the js is loaded directly from /piwik.js.
Thus I would recommend to add this case to the FAQ: When using 3rd party cookies AND tracking to multiple siteids at once, one must use /js/tracker.php and not /piwik.js to load the js in the browser.

@MichaelRoosz commented on August 16th 2018 Contributor

Updated: do not write third party cookie if ignore cookie is present

@MichaelRoosz commented on October 17th 2018 Contributor

Updated: cleaned & improved the pr

@MichaelRoosz commented on June 26th 2020 Contributor

@tsteur As this is quite a critical bug, is there anything I can do to get this merged? Creating a test for a race condition would be kind of hard.

@tsteur commented on June 29th 2020 Member

Tested it and works 👍 Happy to merge @MichaelHeerklotz . Good find... was probably tricky :)

This Pull Request was closed on June 29th 2020
Powered by GitHub Issue Mirror