New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New visitor ID generated per action in iframes (SameSite cookie issue) #16161
Comments
Not sure I can contribute much to this @promediadd sounds like you almost found a solution except for Safari. I think when Re Safari: They did have some SameSite issues but it looks they might be resolved now so it might work in the future: https://bugs.webkit.org/show_bug.cgi?id=198181 |
Thanks @tsteur — so is the expectation at this stage that we should maintain our own version of matomo.js (piwik.js) with these changes we've made for the foreseeable future? i.e. the findings posted here won't be integrated with official future releases? All good if that is the case, just would like to plan for that. An update re: iOS SafariThanks for the link to that Safari/Webkit bug. While we await all devices in the wild to receive that fix we have (perhaps against best practice re: privacy etc?) found a workaround that allows us to use localStorage instead of cookies if the For posterity, in case it helps the core or others who want to maintain their own solution, our (briefly tested) implementation is as follows: setCookie() function
getCookie() function
deleteCookie() function
|
@promediadd ideally you wouldn't maintain your own tracker file. In best case you could create a pull request for this file so we can review and merge it. Eg a PR that sets If that's not possible to create PR I'd rename the issue to make it more clear on what needs to be done and maybe at some point we'd work on it. It's not clear though while milestone this would go. The localStorage solution we would however likely not use eg since it's not trivial to delete this data easily after a certain amount of time etc. We'd then also document this and create an FAQ advising people who track iframes to set the secure flag so they don't run into the same issue. |
fyi this should be fixed as part of the Matomo 4 release see https://matomo.org/faq/how-to/how-do-i-track-a-website-within-an-iframe/ |
Summary
getCookie()
function cannot find the visitorId cookie inside of thedocumentAlias.cookie
string.SameSite
param insetCookie()
function fromSameSite=Lax
toSameSite=None
resolves the issue on most browsers (iOS Safari excluded) (i.e. thedocumentAlias.cookie
string now contains our visitorId cookie and things work as expected)Replicating the issue
iframe
d into a third-party site and any visits occuring inside this iframe were being tracked as new visitors for every page visit and action taken (blowing out the tracking statistics)Our "almost" fix
SameSite=None
instead ofSameSite=Lax
on thesetCookie()
functiongetCookie()
to find the visitorId cookie inside of thedocumentAlias.cookie
string which meant the same visitorId could be usedOther things we tried
Presumably
SameSite=Lax
is set for a reason. And as notedSameSite=None
does not resolve the issue on iOS Safari. So we have tried other things, such as:_paq.push(['setSecureCookie', location.protocol === 'https:']);
Potentially related...
SameSite
Is it just us?
The text was updated successfully, but these errors were encountered: