Skip to content

JS Tracker: set secure flag for _pk_testcookies #15313

New issue
New issue
Closed
Closed
JS Tracker: set secure flag for _pk_testcookies#15313
Labels
c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
@cundd

Description

@cundd
cundd
opened on Dec 23, 2019

The test-cookie is not explicitly set as "secure". This generates a warning with our PCI Security Scan.

THREAT:
The cookie does not contain the "secure" attribute.
IMPACT:
Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
SOLUTION:
If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
RESULT:
1GEThttps://domain.comSG9ovKg0K_pk_testcookie.11.e5c9=1; path=/; domain=domain.com

A possible fix could be to pass configCookieIsSecure to the setCookie() function.

@@ -3925,7 +3925,7 @@ if (typeof window.Piwik !== 'object') {
 
                 // for IE we want to actually set the cookie to avoid trigger a warning eg in IE see #11507
                 var testCookieName = configCookieNamePrefix + 'testcookie';
-                               setCookie(testCookieName, '1');
+                setCookie(testCookieName, '1', undefined, configCookiePath, configCookieDomain, configCookieIsSecure);

Is this a viable solution? Should I send a PR?

Metadata

Metadata

Assignees

No one assigned

    Labels

    c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions