HttpOnly Tracking Cookie

Hello all,

I found all the tracking cookies of Piwik not having set httpOnly to ‘true’. The default value is ‘false’ in the class ‘Cookie’. I have found no way to configure this.
Is there a reason why the value of httpOnly is ‘false’? Is it ok too change this to ‘true’?


Kind Regards


are you talking of first party cookies in JS or 3rd party cookies in PHP (disabled by default) ?

Hmmm…well, I am not sure but I think it is a cookie set by PHP. If it helps, I am talking about cookies with a name like _pk_id.1.91db and _pk_ses.1.91db.

These cookies are set in JS and are not sent to the piwik tracking server

so it is not possible to make them httponly. alright…

Thanks for the info!

See the code here:

cause this topic is quite 5 years old … is it possible now to set the cookie httpOnly to ‘true’?


You can check the code here:

What Matthieu mentioned is still true:
httpOnly means that the cookie is impossible to read or modify via Javascript. But this is incompatible to the fact that the cookie will be set by the tracking code in Javascript

thanks a lot for this answer :slight_smile: