@toobaz opened this issue on May 24th 2010

Hello, this is my situation: - domain www.a.it and domain www.b.it hosted by the same server - www.a.it/piwik and www.b.it/piwik pointing to the same piwik instance

If I login to www.a.it/piwik and, in the preferences, set the cookie to ignore my visits, my visits to www.b.it are not ignored.

If I login to www.b.it/piwik, I find that indeed the cookie is not reported as set. If I set it there, I finally get that my visits to www.b.it are ignored.

Now, as a matter of principle this wouldn't be a terrible issue. However, the GUI for setting the cookie explicitly says "will exclude your visits on websites tracked by Piwik", so I guess there's some problem.

Please feel free to ask me for specific informations (or to blame me for having missed something trivial).


@toobaz commented on May 24th 2010

Well, some information that I should provide without being asked: running piwik 0.6.1.

@halfdan commented on May 24th 2010

Your case is somewhat unusual with piwik running under two different domains. In fact if you set the cookie on a.it/piwik only websites that have a.it in their tracking code are excluded from the statistics. Basically a cookie is bound to the domain that created it (a.it) and will only be sent by your browser if you visit a page on the same domain (a.it). This is the reason the same Piwik instance doesn't know about your cookie when you visit it using b.it.

@robocoder commented on May 24th 2010

Halfdan's right. This is an intentional browser limitation to prevent cross-domain cookie hijacking.

@toobaz commented on May 24th 2010

I imagined it, and that's perfectly fine. But all the piwik management interface is absolutely general in terms of number and address and websites tracked, so add to it that the link to set the cookie says

" Click here to set a cookie that will exclude your visits on websites tracked by Piwik "

and you understand that it is very misleading. Please explain, near that link, what you just wrote to me, change the link text to "click here to set a cookie that will exclude your visits on currentdomain.it and subpages", and that's fine.

Notice that my case of piwik running under two domains may be unusual, but the case of tracking two different domains is certainly not, and the same problem applies (err, no, it's worse... but then, it's not your fault).

@mattab commented on May 24th 2010

did you use DNS aliases to have both domains under the same piwik?

I would think that anybody using DNS aliases would understand how cookies work, but again I agree the message could be improved. reopening

@toobaz commented on May 24th 2010

I personally have no idea of what a DNS alias is.

To have both domains under the same piwik, I started, as suggested on the piwik forums (sorry, at the moment can't find where) with a bare symlink to a single piwik instance from two root directories of two different apache2 virtual servers. I'm sure people that play with apache configuration outnumber people who play with advanced DNS settings.

Then, I lately switched to using something like

Alias /piwik "/path/to/piwik/"
<Directory "/path/to/piwik/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    allow from all

in the apache2 configuration for each site (I did that for cleanness, but also because apparently - didn't investigate really a lot - if the real piwik install was reached through a symlink pointing to a symlink, then the web interface missed any image, css and so on - if you're interested in that, I can try to replicate and file a separate bug).

My main problem is that I want to access statistics for different sites via the same administrative interface, but those are unrelated sites, so I don't want visitors of site b.it to see that they're connecting (or see in the html an address) to site a.it (btw, that's exactly the reason why I'm migrating away from Google Analytics).

Piwik is great at that, except where it can't, like in this case: and I think just stating it can't solves the problem.

Then, the perfection would be that the administrative interface does the following: - I open it through a.it/piwik - it knows that b.it is tracked through b.it/piwik, so tells me "hey, click here, but know that this particular ignore cookie will only affect site tracked through a.it/piwik" - so it opens a small frame, or pulls a javascript, or anything, from b.it/piwik that allows me to manage the cookie for b.it (and all sites tracked through b.it), so that I see a nice button "hey, click here, but know that this particular ignore cookie will only affect site tracked through b.it/piwik" - and does so for any other ./piwik that it has detected

But that introduces a non trivial layer of abstraction that I'm not sure piwik is interested in (and my php skills and time availability are not big enough...).

@robocoder commented on May 24th 2010

Using JavaScript/iframes could be ugly -- there's a similar cross domain scripting limitation with XmlHttpRequest, and hackish workarounds for iframes on IE and Safari, eg !http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/

I'm not even sure if we can tackle this as part of the first-party cookie implementation in #557.

@toobaz commented on May 24th 2010

(If I give another proof of my ignorance, it's the last one, but...) why should the XmlHttpRequest limitation be a problem here, if the javascript is downloaded from the other site?! I can't see the difference from a normal tracking javascript.

@robocoder commented on May 24th 2010

Suppose we have a site with 2 sites being tracked, with the following URLs:

idsite=1: - www.site1.com - main domain - www.site1.net - an alias domain - mydomain.com/site1 - a subdomain

idsite=2: - www.site2.com - main domain - www.site2.net - an alias domain - mydomain.com/site2 - a subdomain

Let's also say the Piwik tracker can be accessed as a folder in any of the above, e.g., www.site1.com/piwik, www.site1.net/piwik, mydomain.com/site1/piwik, etc.

And just to make it interesting, let's say I access my master Piwik installation via mystats.com.

If I click on "set a cookie to exclude my visits", we would actually need to generate piwik-ignore cookies for all 6 domains. The JavaScript (loaded from mystats.com) cannot call the API on site1.com, site1.net, site2.com, site2.net, or mydomain.com using XmlHttpRequest because of the cross domain scripting restriction (unless the user has changed their default browser security settings to enable this).

@toobaz commented on May 24th 2010

Sure; I was thinking about a server-generated page that would contain hardcoded references to (possibly very light, and ordered in more pages, if they are a lot) javascripts retrieved each from the relative domain, and a "set a cookie to exclude my visits to x.it" for each x.it.

Then the exact mapping between tracked sites and "tracking points" could be studied in detail, what I just mean is that certainly some work on the php side would be needed. On the other hand, I don't see how a web interface showing the "tracking points" possibly distributed in more pages, each page pulling something like 5 javascripts (from 5 different domains) which very few lines of code each, would really constitute a problem

But feel free to skip the details if you really think it's unfeasible, I don't want to loose your time.

@robocoder commented on May 25th 2010

Retrieving JavaScript from each site (to workaround the cross domain limitation) would require the user to specify the location of the piwik folder in each tracked site, if any, per URL. That can be onerous for Piwik users, just so the click-to-exclude code can locate:

site1.com/piwik/x.js, site2.com/stats/x.js, mystats.com/x.js

Perhaps we can implement this using image requests (like the web bug image).

@robocoder commented on May 25th 2010

(In [2214]) quick fixes #1376 - add cookie domain to link text, i.e.,

Click here to set a cookie that will exclude your visits on websites tracked by Piwik on MYSITE.TLD

@toobaz commented on May 25th 2010

My point was precisely that the piwik install itself would bear the task of remembering from where it is accessed, the user should at most ensure that one visit is done before trying to set the cookie.

But again, the implemented solution is perfectly accettable, thanks.

This issue was closed on May 25th 2010
Powered by GitHub Issue Mirror