search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.68k stars 2.62k forks source link

Feature request for cookie encryption #3949

Open anonymous-matomo-user opened 11 years ago

anonymous-matomo-user commented 11 years ago

Hi,

this is my first time I open such a ticket, so I apologize if I make any mistakes here.

Like discussed in the forum, I suggest to implement the option to encrypt cookie content to solve two non trivial security issues. The first is to prevent users from manipulate the cookie content and the second is for better cooperation with security tools like Mod-Security.

For this purpose I try to implement a blowfish class to transparently encrypt everything you like. Find my patchfile attached to this ticket.

By now I need help and someone who have a deeper understanding what piwik does internally. So here is my first try.

Keywords: blowfish, cookie encryption

anonymous-matomo-user commented 11 years ago

Attachment: Patch created against master commitpoint 6257f0655ae8fc8ca6b99f700783f3d0f18dbf35 cookie_encryption.patch

robocoder commented 11 years ago

For Piwik 2.0, it might be easier to simply drop our setcookie wrapper and advise users to use Suhosin's built-in cookie encryption.

halfdan commented 11 years ago

@vipsoft, Suhosin is dead. There hasn't been any release for PHP 5.4 nor 5.5 and there most likely will never be any.