Analytics cookie not stored

getodk / central

ODK Central is a server that is easy to use, very fast, and stuffed with features that make data collection easier. Contribute and make the world a better place! ✨🗄✨

https://docs.getodk.org/central-intro/

Apache License 2.0

125 stars 156 forks source link

Analytics cookie not stored #149

Closed matthew-white closed 4 years ago

matthew-white commented 4 years ago

I'm seeing the following console warning in Chrome:

A cookie associated with a cross-site resource at http://getodk.github.io/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I don't think an existing cookie will be removed, but I think a new cookie will no longer be added. When I log into the sandbox on Chrome and look at my cookies, I do not see an analytics cookie.

yanokwa commented 4 years ago

According to https://www.chromium.org/updates/same-site, Google has started enforcing SameSite settings in Chrome.

Cookies that do not specify a SameSite attribute will be treated as if they specified SameSite=Lax, i.e. they will be restricted to first-party or same-site contexts by default.
Cookies that are intended for third-party or cross-site contexts must specify SameSite=None and Secure.

According to https://www.simoahava.com/analytics/cookieflags-field-google-analytics/, we can add the following to news.html to fix this issue.

ga('create', 'UA-XXXXX-Y', {
  cookieFlags: 'secure;samesite=none'
});

I bet this will also be an issue for https://github.com/getodk/xlsform-online. @matthew-white can you try this change and see if it fixes it?

matthew-white commented 4 years ago

After making a change along these lines, the cookie was stored. 🎉 I've pushed the PR #166 with this change.

My sense is that the reason we need to specify SameSite=None is because we use a cross-site iframe. If/when we add more analytics and move that out of the iframe, we might not need to specify SameSite=None.

matthew-white commented 4 years ago

I bet this will also be an issue for https://github.com/getodk/xlsform-online.

When I navigate to https://getodk.org/xlsform/ in Chrome, I actually do see analytics cookies, under both https://getodk.org and https://xlsform.getodk.org. The Domain attribute of these cookies is .getodk.org. Maybe it works because the iframe is the same domain? Also, according to Cookies and user identification with gtag.js:

By default, gtag.js has automatic cookie domain configuration enabled. When enabled, gtag.js will set cookies on the highest level domain it can. For example, if your website address is blog.example.com, gtag.js will set cookies on the example.com domain.