@Delphinator opened this Issue on February 20th 2016

I would like to use piwik on my website without setting cookies, except the opt-out cookie. I added disableCookies in my tracker script and it works great.

There is one important exception though: The opt-out iframe sets a PIWIK_SESSION cookie. This session is used during the opt-out process to validate a nonce in https://github.com/piwik/piwik/blob/master/plugins/CoreAdminHome/OptOutManager.php#L183.

I removed this check and now filter the PIWIK_SESSION cookie in an upstream proxy as a workaround, but that doesn't seem "right".

Why is a nonce needed there at all? Why can't there be some URL that sets the ignore-cookie?

Alternatively: Would a nonce with some sort of cryptographic signature for validation work?

@tsteur commented on February 22nd 2016 Owner

Without the nonce anyone could opt out your users. Eg an "attacker" could place a hidden iframe on another website and when a user opens a page there he would opt out of your site.

There might be better ways without a session but I haven't thought about it. Eg we could possibly generate and store a one-time "token" in database, and append it to the opt out URL. This would need to be implemented.

@Delphinator commented on February 22nd 2016

Very good point about a possible attack!

I quickly hacked a pair of functions together that will generate and validate a token based on time and the IP of the user. It doesn't need any database, but the tokens can be used multiple times by the same IP. I put it in a gist at https://gist.github.com/Delphinator/c4d74d52eb7abc3f8a24.

Would that work?

@tsteur commented on February 22nd 2016 Owner

Something like this should work. The secret should be kind of random or depending on the user, otherwise it is either possible to calculate the secret from the token, or it is possible to calculate / guess the token.

For example if we used the salt, that is generated for each Piwik, one could calculate the salt as an attacker knows the valid_till and IP. This would be possible eg via brute force. This means the secret would need to be differently for each user and we would need to change it again over time, ideally. This means we need to store the "secret" somewhere. If we use session for this, we'll have a cookie again :)

This Issue was closed on March 31st 2016
Powered by GitHub Issue Mirror