Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check that all Matomo cookies are set with the secure flag #15681

Closed
tom275 opened this issue Mar 6, 2020 · 1 comment · Fixed by #15683
Closed

Check that all Matomo cookies are set with the secure flag #15681

tom275 opened this issue Mar 6, 2020 · 1 comment · Fixed by #15683
Assignees
@tsteur
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
4.0.0

Comments

@tom275
Copy link

tom275 commented Mar 6, 2020

Found out _pk_ref-cookie is not secure, despite setSecureCookies is set. All the other _pk-cookies however are.
A quick look into the javascript code the check for a secure cookie is missing on some other cookies, e. g. CustomDimension, too.
Maybe the check if a cookie needs the secure flag can be moved to the setCookie-function instead of doing it individually for every single cookie.
@tom275
Copy link
Author

tom275 commented Mar 6, 2020

Something similar was done in 2018: #12841

@tsteur tsteur added the Bug For errors / faults / flaws / inconsistencies etc. label Mar 7, 2020
@tsteur tsteur self-assigned this Mar 7, 2020
@tsteur tsteur added this to the 4.0.0 milestone Mar 7, 2020
tsteur added a commit that referenced this issue Mar 7, 2020
@tsteur
fix #15681 secure cookie flag is not set for referrer and custom dime…
49109c1 
…nsions
@tsteur tsteur mentioned this issue Mar 7, 2020
Merged
diosmosis pushed a commit that referenced this issue Mar 9, 2020
@tsteur @sgiehl
fix #15681 secure cookie flag is not set for referrer and custom dime…
0ca7356 
…nsions (#15683)

* fix #15681 secure cookie flag is not set for referrer and custom dimensions

* rebuilt piwik.js

Co-authored-by: sgiehl <sgiehl@users.noreply.github.com>
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Sep 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsteur tsteur

Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
4.0.0
Development

Successfully merging a pull request may close this issue.

fix #15681 secure cookie flag is not set for referrer and custom dimensions matomo-org/matomo
3 participants
@tsteur @mattab @tom275