If I login into Piwik with referers disabled (Firefox addon RefControl), Piwik says:
[quote=“Form security key is invalid or has expired. Please reload the form and check that your cookies are enabled.”][/quote]
First of all, this message is wrong, because I have cookies enabled.
Second, I want to use Piwik with referers disabled. One reason for this wish it that when clicking on a providers my referer is shown in their statistics.
Finally, I want to say thank you to the piwik developers. I will probably switch from Google Analytics to Piwik.
Members of the Piwik team regularly read and respond to posts on the forum.
The “RefControl” add-on (or its settings) must be broken/wrong. I just tested with a different add-on (“Modified Headers”) and filtered (i.e., suppressed) the Referer header, and I was able to login to Piwik successfully, without any error message.
No, we won’t disable the Referer (sic) check. This is a security feature and is described in “Robust Defenses for Cross-Site Request Forgery”.
I will try to get in contact with the RefControl developers to report the bug.
I know you use the referrer for security reasons. But I also heared referrers should not be used for security checks because they can be easily manipulated. (see here, for example: HugeDomains.com - MusTap.com is for sale (Mus Tap) )
Thanks. I overlooked the suggestions forum so I posted my suggestion there… just some seconds before you answered.