OptOut requires a session (and therefore a PIWIK_SESSION cookie) #9812
Comments
|
Without the nonce anyone could opt out your users. Eg an "attacker" could place a hidden iframe on another website and when a user opens a page there he would opt out of your site. There might be better ways without a session but I haven't thought about it. Eg we could possibly generate and store a one-time "token" in database, and append it to the opt out URL. This would need to be implemented. |
tsteur
added
the
Enhancement
|
Very good point about a possible attack! I quickly hacked a pair of functions together that will generate and validate a token based on time and the IP of the user. It doesn't need any database, but the tokens can be used multiple times by the same IP. I put it in a gist at https://gist.github.com/Delphinator/c4d74d52eb7abc3f8a24. Would that work? |
|
Something like this should work. The secret should be kind of random or depending on the user, otherwise it is either possible to calculate the secret from the token, or it is possible to calculate / guess the token. For example if we used the salt, that is generated for each Piwik, one could calculate the salt as an attacker knows the |
mattab
added
the
wontfix
I would like to use piwik on my website without setting cookies, except the opt-out cookie. I added
disableCookiesin my tracker script and it works great.There is one important exception though: The opt-out iframe sets a PIWIK_SESSION cookie. This session is used during the opt-out process to validate a nonce in https://github.com/piwik/piwik/blob/master/plugins/CoreAdminHome/OptOutManager.php#L183.
I removed this check and now filter the PIWIK_SESSION cookie in an upstream proxy as a workaround, but that doesn't seem "right".
Why is a nonce needed there at all? Why can't there be some URL that sets the ignore-cookie?
Alternatively: Would a nonce with some sort of cryptographic signature for validation work?
The text was updated successfully, but these errors were encountered: