@renefreund opened this Issue on October 30th 2020

Hi,

We use AjaxOptOut-Plugin instead of the OptOut-Iframe: https://plugins.matomo.org/AjaxOptOut?piwikversion=3.

Matomo-Host and Website-Host don't share the same Domainname and use https.

The IgnoreCookie::setIgnoreCookie(); function works fine.

But IgnoreCookie::getIgnoreCookie()->delete(); fails to delete the "piwik_ignore".

Browser (like Chrome 86) mention that SameSite isn't set.

After some investigation we found the cause in /core/Cookie.php

    public function delete()
    {
        $this->setP3PHeader();
        $this->setCookie($this->name, 'deleted', time() - 31536001, $this->path, $this->domain);
    }

Here is no handling, if SSL or Samesite is needed. We quick-patched it by setting the "delete" the ignore-cookie two times.

    public function delete()
    {
        $this->setP3PHeader();
        $this->setCookie($this->name, 'deleted', time() - 31536001, $this->path, $this->domain);
        $this->setCookie($this->name, 'deleted', time() - 31536001, $this->path, $this->domain, TRUE, FALSE, 'None');
    }

Now the first cookie gets ignored by Chrome, but the second cookie is accepted.

I hope you have a better idea to solve this problem.

i don't know if any issue in the cookie-meta-issue #14904 already cover that (i haven't found that scenario there).

Greetings
René

@tsteur commented on November 1st 2020 Member

Thank you for creating this issue. I thought we already have an issue for this but doesn't look like it.

Powered by GitHub Issue Mirror