@Findus23 opened this Pull Request on May 12th 2019 Member

I'm still utterly confused by how core/Cookie works in Matomo and I can't see any security benefit by "signing" the cookie and only lots of unused complexity by allowing arbitrary data to be deserialized.

I could only find it used in:

  • makeThirdPartyCookieUID() to save the $idVisitor
  • setLanguageForSession to save the language code when anonymous user
  • IgnoreCookie for unknown reasons (but only for deleting cookies)
  • SessionInitializer which seems completly unused
  • somewhere in TagManager, but only for setting "1" and null

so simply allowing to store a dictionary of strings should be more than enough for all use cases and far simpler.

This is more of a rough proof of concept to get my idea across, but I think this could be simplified in Matomo 4.


I'll probably append this PR draft with more similar commits.

@tsteur commented on May 12th 2019 Member

Maybe it's still there from when there was a hash of the token (or something like this) stored in the cookie? Not sure why it was done.

@MichaelHeerklotz commented on May 12th 2019 Contributor

There is also my PR here https://github.com/matomo-org/matomo/pull/13301 which sets the domain correctly for the IgnoreCookie and disables the signature check for it to allow multiple matomo installations on the same domain to share it. Maybe these prs can be combined? If we can keep support for old 3rd party cookies and migrate them this would be great.

Powered by GitHub Issue Mirror