Tracking Cookie gets set if "DNT=1"

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!

https://matomo.org/

GNU General Public License v3.0

19.88k stars 2.65k forks source link

Tracking Cookie gets set if "DNT=1" #10162

Open 85pando opened 8 years ago

85pando commented 8 years ago

We use Piwik with the cookies disabled: use_third_party_id_cookie = 0 and _paq.push(['disableCookies']); (trying not to have to display those stupid EU-warnings about Cookies).

Unfortunately it seems the case that there is some mixup. If "do not track" is disabled in the browser everything is fine, if it is enabled a Cookie is set. I think the idea of this cookie is to "delete" cookies that might have been set before, as the expiration is before the cookie is actually set. If this is the case, the correspoding page in the FAQ should probably be updated to include this.

piwik-cookie

Piwik version is 2.16.1.

tsteur commented 8 years ago

The cookie should be set with a date in the past and be deleted immediately. This "delete" cookie is basically set to delete any existing cookies. We could make it a bit smarter and set the delete cookie only if one is actually set currently which is likely the case unless disableCookies was called before like in your case.

Solution would be to send along the tracking request whether cookies are disabled and then consider this server side as well.

85pando commented 8 years ago

This "delete" cookie is basically set to delete any existing cookies.

That's what I thought it's for (-:

The cookie should be set with a date in the past and be deleted immediately.

In Firefox that's true, in Chrome however the expired cookie is stored. We just want to prevent those EU-cookie-warnings, so we'd rather have no cookies at all.

Solution would be to send along the tracking request whether cookies are disabled and then consider this server side as well.

Another idea would be to make disable-cookies an enum with {false | delete | true} or add a second flag like disable-delete-cookies or something like that. In this way the server admin could decide, what should be used.

tsteur commented 8 years ago

A workaround so far would be maybe to call deleteCookies after each tracking request. Eg _paq.push(['trackPageview']);_paq.push(['deleteCookies']) but I haven't tried whether it actually works.

85pando commented 8 years ago

To clarify, the cookie is not set in Chrome but it is displayed in the cookie list with a 2015 expiration date. There certainly is a valid use case for the pk_uid=deleted cookie, namely to delete a cookie that was previously set. However, for sites like ours that have never set such a cookie in the past, this is unnecessary. We fear that users who check if the site sets any cookies, will just see that there is a cookie being set and are not looking at the expiration date.

We will try you workaround suggestion and get back here.

85pando commented 8 years ago

Can confirm that this prevents storage of the cookie as a workaround.

85pando commented 8 years ago

Alternatively, my collegue also added this to the virtual host of the piwik server (Apache) before I set _paq.push(['deleteCookies']):

<VirtualHost […]>
    ServerName piwik.[…]
    […]
    SetEnvIf Request_URI "^/piwik\.php" is_tracker
    Header unset Set-Cookie env=is_tracker
</VirtualHost>