Since this commit has been merged, setting the cookie path is broken.
Cookie path in the Set-Cookie header must not be escaped, or the browser will fall back to the current URL path.
If $Path === '/' and the cookie is set from /js/tracker.php, the browser will save the cookie path as "/js" and not "/".
Reading the docu here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie, I think we should not escape the path at all.
Same applies for the domain, but since the dot is not escaped by rawurlencode, I think it does not hurt
Might be something we maybe should add to 3.x-dev. Seems to be the same issue we had with session cookies. See https://github.com/matomo-org/matomo/pull/15602
Haven't looked... can we always trust the
@tsteur In most cases it should use config values for
login_cookie_path or doesn't have a value at all.
But we can't encode the path that way. We had the same problem in the linked PR. The browser simply discards the path if it's encoded...
👍 sweet. Was just meaning in case there is user input somewhere we'd need to do maybe some validation or so. That's all.
👍 to merge into 3.x-dev