Problem/Motivation

When using HTTPS, it is recommended to use secure cookies (that are only sent over HTTPS).
Matomo has an option for this: https://fr.matomo.org/faq/general/faq_25936/
It would be nice in there was a way to enable this option in the module config.

Proposed resolution

We could probably add a checkbox in Privacy on /admin/config/system/matomo.

Issue fork matomo-3376581

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

prudloff opened merge request !47

prudloff’s picture

prudloff commented
Status: Active » Needs review
prudloff’s picture

prudloff commented

Rebased against 2.0.x.

The failing phpunit test seems to be unrelated: #3511606: MatomoBasicTest::testMatomoPageVisibility() fails in merge requests

arousseau’s picture

arousseau commented
Status: Needs review » Reviewed & tested by the community

This is working as advertised, a "Secure cookies" checkbox is added to the settings form, and the "Secure" attribute is correctly set to true on the "_pk_id" and "_pk_sess" cookies used by Matomo.

prudloff’s picture

prudloff commented
Issue tags: +Security improvements
grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented

Hello,

Thanks for the issue and MR.

Would it be possible to add a test please?

prudloff’s picture

prudloff commented

I added a test.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Reviewed & tested by the community » Needs review

Thanks!

One question about existing installations in review comment.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Assigned: Unassigned » grimreaper
ressa’s picture

ressa
he/him
commented
Related issues: +#3376588: Add support for "setVisitorCookieTimeout"

EDIT: Oops, sorry false alarm! I now see that Matomo 8.x-1.26 is indeed Drupal 11-ready. I have 8.x-1.25 and that was why the Drupal 11 upgrade status page listed Matomo version 1 as problematic. Anyway, just disregard my comment :)

Thanks for working on this @prudloff and @grimreaper! I just checked Drupal 11-readiness for a Drupal 10 installation. All the contrib modules were D11-ready, as Matomo is -- but I did notice that Matomo 2 is in alpha, where a Beta or RC would feel safer, for most users to do the update from version 1 to version 2 ... And about that, shouldn't this issue be aimed at 2.x-dev, as well as #3376588: Add support for "setVisitorCookieTimeout"?

  • grimreaper committed 9d293b44 on 2.0.x authored by prudloff 
    feat: #3376581 Add a way to set "setSecureCookie"

By: prudloff
By:...
grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Assigned: grimreaper » Unassigned
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.