HttpOnly Tracking Cookie

skygate · January 8, 2013, 11:56am

Hello all,

I found all the tracking cookies of Piwik not having set httpOnly to ‘true’. The default value is ‘false’ in the class ‘Cookie’. I have found no way to configure this.
Is there a reason why the value of httpOnly is ‘false’? Is it ok too change this to ‘true’?

TIA!

Kind Regards

Tobias

matthieu · January 9, 2013, 9:00am

are you talking of first party cookies in JS or 3rd party cookies in PHP (disabled by default) ?

skygate · January 9, 2013, 9:11am

Hmmm…well, I am not sure but I think it is a cookie set by PHP. If it helps, I am talking about cookies with a name like _pk_id.1.91db and _pk_ses.1.91db.

matthieu · January 10, 2013, 10:51pm

These cookies are set in JS and are not sent to the piwik tracking server

skygate · January 11, 2013, 9:10am

so it is not possible to make them httponly. alright…

Thanks for the info!

matthieu · January 11, 2013, 10:14am

See the code here: http://dev.piwik.org/trac/browser/trunk/js/piwik.js#L1133

TobBen · December 11, 2017, 7:42am

cause this topic is quite 5 years old … is it possible now to set the cookie httpOnly to ‘true’?

Lukas · December 11, 2017, 8:34am

Hi,

You can check the code here:

github.com

piwik/piwik/blob/3.x-dev/js/piwik.js#L3219




// Document title
try {
    configTitle = documentAlias.title;
} catch(e) {
    configTitle = '';
}


/*
 * Set cookie value
 */
function setCookie(cookieName, value, msToExpire, path, domain, isSecure) {
    if (configCookiesDisabled) {
        return;
    }


    var expiryDate;


    // relative time to expire in milliseconds
    if (msToExpire) {
        expiryDate = new Date();

What Matthieu mentioned is still true:
httpOnly means that the cookie is impossible to read or modify via Javascript. But this is incompatible to the fact that the cookie will be set by the tracking code in Javascript

TobBen · December 11, 2017, 8:48am

thanks a lot for this answer