this is my first issue in this project, so hopefully I do it right.
I would like to request a new feature to improve privacy. At the moment it is possible yet to set the cookie lifetime to a shorter timespan and to set the cookie secure.
I suggest to also set the cookie attributes HttpOnly and SameSite=Strict, so privacy would be improved and cross site request attacks forgery could be prevented.
As far as I'm aware of every cookie that can be httponly is httponly. Can you show one that is not that way?
What do you refer to here @neunzehnachtneun ? To the JS tracker? In JS you cannot set a cookie as httponly
samesite you need to really take care of your cookie domain or you will run into a hell of a lot of trouble. This is especially important if you use a reverse proxy.
(This does not mean I'm against it, but it might be a breaking change for some people.)
You would also need to have matomo running on the very same domain? not even a subdomain? or would a subdomain still work?
samesite is a origin related setting and should be used with caution. it would have effects on the tracked data and most certainly break the 3rd party cookie in in many use cases