core/Cookie.php:Cookie->delete() don't set secure and SameSite. #16637
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
Help wanted
Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
Hi,
We use AjaxOptOut-Plugin instead of the OptOut-Iframe: https://plugins.matomo.org/AjaxOptOut?piwikversion=3.
Matomo-Host and Website-Host don't share the same Domainname and use https.
The
IgnoreCookie::setIgnoreCookie();
function works fine.But
IgnoreCookie::getIgnoreCookie()->delete();
fails to delete the "piwik_ignore".Browser (like Chrome 86) mention that SameSite isn't set.
After some investigation we found the cause in /core/Cookie.php
Here is no handling, if SSL or Samesite is needed. We quick-patched it by setting the "delete" the ignore-cookie two times.
Now the first cookie gets ignored by Chrome, but the second cookie is accepted.
I hope you have a better idea to solve this problem.
i don't know if any issue in the cookie-meta-issue #14904 already cover that (i haven't found that scenario there).
Greetings
René
The text was updated successfully, but these errors were encountered: