OptOut requires a session (and therefore a PIWIK_SESSION cookie) #9812
Labels
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
wontfix
If you can reproduce this issue, please reopen the issue or create a new one describing it.
I would like to use piwik on my website without setting cookies, except the opt-out cookie. I added
disableCookies
in my tracker script and it works great.There is one important exception though: The opt-out iframe sets a PIWIK_SESSION cookie. This session is used during the opt-out process to validate a nonce in https://github.com/piwik/piwik/blob/master/plugins/CoreAdminHome/OptOutManager.php#L183.
I removed this check and now filter the PIWIK_SESSION cookie in an upstream proxy as a workaround, but that doesn't seem "right".
Why is a nonce needed there at all? Why can't there be some URL that sets the ignore-cookie?
Alternatively: Would a nonce with some sort of cryptographic signature for validation work?
The text was updated successfully, but these errors were encountered: