I'm still utterly confused by how
core/Cookie works in Matomo and I can't see any security benefit by "signing" the cookie and only lots of unused complexity by allowing arbitrary data to be deserialized.
I could only find it used in:
makeThirdPartyCookieUID()to save the
setLanguageForSessionto save the language code when anonymous user
IgnoreCookiefor unknown reasons (but only for deleting cookies)
SessionInitializerwhich seems completly unused
so simply allowing to store a dictionary of strings should be more than enough for all use cases and far simpler.
This is more of a rough proof of concept to get my idea across, but I think this could be simplified in Matomo 4.
I'll probably append this PR draft with more similar commits.
Maybe it's still there from when there was a hash of the token (or something like this) stored in the cookie? Not sure why it was done.
There is also my PR here https://github.com/matomo-org/matomo/pull/13301 which sets the domain correctly for the IgnoreCookie and disables the signature check for it to allow multiple matomo installations on the same domain to share it. Maybe these prs can be combined? If we can keep support for old 3rd party cookies and migrate them this would be great.