Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Cookie Does Not Contain The "HTTPOnly" Attribute #16109

Closed
qualle opened this issue Jun 24, 2020 · 3 comments
Closed

Security: Cookie Does Not Contain The "HTTPOnly" Attribute #16109

qualle opened this issue Jun 24, 2020 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@qualle
Copy link

qualle commented Jun 24, 2020

The Cookie "_pk_testcookie.1.b4ee=1; _pk_id.1.b4ee=..." is set by matomo, which leads to a security warning "Security: Cookie Does Not Contain The "HTTPOnly" Attribute" on the security scanner qualysguard.

Can you add the HTTPOnly Attribute?

How to reproduce: Run a security test on any site with installed matomo (for eg. with qualysguard from qualys). Check results.

Expected behaviour: No warnings from the security scanner.

Greetings

@Findus23
Copy link
Member

Hi,

Those cookies are set by the matomo.js tracking script which means you can't set them HTTPOnly as this means that they would not be accessible via Javascript.

@Findus23 Findus23 added the answered For when a question was asked and we referred to forum or answered it. label Jun 24, 2020
@nsiddams-opentext
Copy link

nsiddams-opentext commented Dec 7, 2022

Hi @Findus23 ,

From the above comment made by you on June 24,2020

Those cookies are set by the matomo.js tracking script which means you can't set them HTTPOnly as this means that they would not be accessible via Javascript.
I understand that we cant set the cookies as HTTPOnly so it still remains as security issue , so can we disable these cookies and will it have any impact on the Matomo tracking functionality?

@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/pk-id-and-pk-ses-cookies-set-by-matomo-is-not-httponly/48615/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Development

No branches or pull requests

4 participants