Don't set a cookie when first displaying the opt-out iframe

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!

https://matomo.org/

GNU General Public License v3.0

19.7k stars 2.62k forks source link

Don't set a cookie when first displaying the opt-out iframe #16791

Open gwire opened 3 years ago

gwire commented 3 years ago

We've attempted to do cookie-less use of Matomo, but now adding the "opt-out" iframe will immediately set the session cookie "MATOMO_SESSID" anyway - this happens regardless of any interaction with the content of the frame.

Is it possible to do an opt-out iframe that doesn't immediately set a cookie regardless of user action?

This is 4.0.0 using the code generated by the "Let users opt-out of tracking" setting.

tsteur commented 3 years ago

Hi @gwire thanks for creating this issue. It's a duplicate of https://github.com/matomo-org/matomo/issues/14402 and the cookie is needed for security reasons unfortunately. If you're worried re GDPR this cookie is definitely an essential cookie that is needed no consent or anything needs to be obtained. It also doesn't track the user. There is no way to disable it so far unless you were to build a custom opt out form see https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form . Is this maybe an option?

micschro commented 2 years ago

I think it's still unfortunate that this cookie is called "MATOMO_SESSID", then. With this name. privacy-aware visitors will probably assume this is a tracking cookie. Couldn't it be called e.g. "CSRF_NONCE" or something like that?