@kkretsch opened this issue on February 24th 2017

I think this topic was discussed years ago, but I do get negativ security points via Mozillas observatory when delivering first party tracking cookies without the secure flag.

I think it should be possible to enable that plag on a per website basis. Most websites I setup are SSL only, a request to non encrypted pages gets redirected to ssl and that ist the recommended canonical url for every page. So I don't need any sharing of session tracking cookies between http and https.

@mattab commented on February 24th 2017

Thanks for the suggestion @kkretsch - I think we'd need a new method in the piwik.js tracker code eg. setSecureCookies and then we'd simply need to set the secure parameter to 1 in the setCookie() function calls. Would be easy to implement :+1:

@dudu84 commented on May 26th 2017

Hi! Can I work on this?

@sgiehl commented on May 26th 2017

@dudu84 sure, a pull request would be very welcome

@dudu84 commented on May 27th 2017

Hi @mattab! As I am new here I'm little bit lost yet. Then envinronment is up and running. I've wrote the setSecureCookies() method and the tests for it but I'm not shure about its content yet. Would it just call the setCookie() with one more parameter (1 in the case)? Thanks!

@mattab commented on June 2nd 2017

@dudu84 setSecureCookies would set the internal variable to 1, and then in setCookie() you'll check this variable, and if it is set then you set the secure cookie flag

This issue was closed on August 3rd 2017
Powered by GitHub Issue Mirror