Proxy bypasses the Matomo "ignore" cookie.

[yrammos]

Since installing the proxy, visits to my own websites are tracked even though my machines carry the administrator's "ignore" cookie. Any easy way to address this glitch? Thanks.

[tsteur]

AFAIK cookies should be forwarded in https://github.com/matomo-org/tracker-proxy/blob/master/proxy.php#L251

Is there any chance you could debug on your server or find out if the cookies are forwarded to your server or not?

[yrammos]

I'd be happy to debug, given some guidance (I am a coder but in entirely different fields) and a bit of time (this being a demanding month at work). Should I load one of my pages, locate the cookie in the inspector, and paste the cookie data here? What would server debugging entail in this case?

(Also, @tsteur, I'd appreciate any information on using the tracker proxy with the Matomo tag manager snippet, if that's possible in the first place. Happy to open another ticket if necessary.)

[tsteur]

It's a good question. Problem is that cookies won't be visible in your access log etc.

I'm guessing a good start would be to check if the proxy actually gets the cookie information. So for a short time in https://github.com/matomo-org/tracker-proxy/blob/master/proxy.php#L252 you could add some line

var_dump($_SERVER['HTTP_COOKIE']);exit;

or var_export($_SERVER['HTTP_COOKIE']);exit;

Then the proxy like https://example.com/piwik.php?rec=0&idsite=1&action_name=foo

You'd expect to see the cookie to be printed there for you. Afterwards would directly remove that line again to not break your tracking.

[yrammos]

@tsteur I'm finally able to debug this. I followed your instructions and got the following:

string(84) "_pk_id.1.e22d=1064edc5fc8c59cb.1585674799.6.1586095549.1586095439.; _pk_ses.1.e22d=1"

Thankful for any thoughts.

[tsteur]

There is no ignore cookie by the looks thus it would be tracked. Do you know which browser they use? Chrome by any chance?

There were recently changes in Chrome on how they handle cookies and if your tracker proxy is running on a different domain you may need to eg call _paq.push(['setSecureCookie', true]); in your tracking code if your site purely runs on HTTPS and not HTTP see https://matomo.org/blog/2020/02/new-cookie-behaviour-in-browsers-may-cause-regressions/ for more information

It's hard to say what could be the problem without seeing it on the site itself so it's just a guess. You'd basically need to double check is the pk_ignore cookie set in the Browser Developer Tools, and if then this is not printed in above debug line that you added, then it means the browser is not forwarding that cookie.

[yrammos]

Thanks, @tsteur. The ignore function fails with all major browsers (Safari, Firefox, Chrome). Here is the domain setup:

matomo.domain1.com hosts Matomo

domain1.com sub.domain1.com domain2.com

The three websites are all tracked by Matomo using the tracker proxy.

The web inspector for matomo.domain1.com does show the ignore cookie:

piwik_ignore ignoreblablablablabla matomo.domain1.com / 4/5/2022, 11:13:01 PM 82 B secure

The web inspector for any of the three websites, on the other hand, does not show the ignore cookie.

Even if the cookie isn't pushed for domain2.com, shouldn't it at least be pushed for domain1.com and sub.domain1.com?

All websites and the Matomo installation are HTTPS-only.

[tsteur]

I probably had the quotes wrong, it might work when you use _paq.push(['setSecureCookie', true]);. Anyway, realising this might not be the issue.

Are you using the latest version of Matomo? And you need to make sure https is used when proxying the request to Matomo. This should make sure that the cookie gets Secure;SameSite=None flag hopefully.

[yrammos]

@tsteur indeed setSecureCookie wasn't the issue, and Matomo is fully up-to-date. https:// is used when proxying to Matomo and, judging from the web inspector data (pasted above), the ignore cookie does get the Secure and SameSite=None properties. The trouble is that the cookie is not forwarded to any site, except for the Matomo installation itself (matomo.domain1.com). Very strange, I'm really at a loss...

[tsteur]

I see. Matomo does have a setting in config/config.ini.php named

[General]
cookie_domain = ""

I thought you could set this setting so it uses domain1.com but it seems this setting is not applied to the ignore cookie. I will create an issue about this in our core repository. It seems like there's no workaround so far unfortunately.

[tsteur]

Created https://github.com/matomo-org/matomo/issues/15778

[yrammos]

@tsteur #15778 has now been fixed but, as explained there, the present issue persists. May I suggest that we triage this?

[tsteur]

@yrammos sure be great if you could investigate and look into this. That be very appreciated.

[yrammos]

Wondering if there has been any progress on this (about 3 years later). I do not have resources to install a full-fledged build environment on my machine, but on a thorough reading of the code could not locate the issue. Many thanks for any insights or updates.