Feature suggestion: Please make Login with deactivated Referers possible


Hi there!

If I login into Piwik with referers disabled (Firefox addon RefControl), Piwik says:

[quote=“Form security key is invalid or has expired. Please reload the form and check that your cookies are enabled.”][/quote]

First of all, this message is wrong, because I have cookies enabled.

Second, I want to use Piwik with referers disabled. One reason for this wish it that when clicking on a providers my referer is shown in their statistics.

Finally, I want to say thank you to the piwik developers. I will probably switch from Google Analytics to Piwik.

(vipsoft) #2

Members of the Piwik team regularly read and respond to posts on the forum.

  1. The “RefControl” add-on (or its settings) must be broken/wrong. I just tested with a different add-on (“Modified Headers”) and filtered (i.e., suppressed) the Referer header, and I was able to login to Piwik successfully, without any error message.

  2. No, we won’t disable the Referer (sic) check. This is a security feature and is described in “Robust Defenses for Cross-Site Request Forgery”.

  3. Referers from Google Adwords. Thanks. I’ve added your suggestion to Track visits from adwords and yahoo content campaigns · Issue #476 · matomo-org/matomo · GitHub


Thanks for answering.

  1. I will try to get in contact with the RefControl developers to report the bug.

  2. I know you use the referrer for security reasons. But I also heared referrers should not be used for security checks because they can be easily manipulated. (see here, for example: HugeDomains.com - MusTap.com is for sale (Mus Tap) )

  3. Thanks. I overlooked the suggestions forum so I posted my suggestion there… just some seconds before you answered.

(vipsoft) #4

Sorry, I misunderstood your second request. Suppressing the referrer for outbound clicks isn’t on the roadmap.