Opt-Out-iFrame sets Session Cookie

SebastianMoehler · June 5, 2018, 10:38am

Hello there,

I’m trying to use Matomo without cookies if possible. The opt-out-cookie is acceptable, though.

Using this FAQ-entry, I succeeded - or so i thought. As soon as I load the web page where I placed the opt-out-iFrame, I still get a session cookie (PIWIK_SESSID), even if I don’t click on the opt-out.

Is there a way to prevent the iFrame from setting the session cookie? I’m not afraid to change some files within the installation, if it comes to that - but i need some pointers to do that.

Any help would be greatly appreciated.

fdellwing · June 5, 2018, 12:43pm

I don’t think this is possible without writing your own optout solution and not embedding it via iframe.

Lukas · June 5, 2018, 12:47pm

Hi,

Since Matomo 3.5.0 this is easily possible:
https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form

SebastianMoehler · June 5, 2018, 1:11pm

Thank you, that’s it!

This also solves another problem: i wasn’t quite satisfied with the look of the iFrame. With this it will fit in nicely.

PraeSenZ · June 5, 2018, 1:43pm

Sorry, I am not a code specialist, but have the same problem.
No cookies allowed, but the Matomo cookie is set - just on the privacy page where I wrote that Matomo doesn´t set cookies, wonderful!! And I do not mean the ignore cookie…
I was searching on the page linked by you, Lukas, but this is really chinese to me.
I ONLY want no (IMHO obsolete) cookie set by PIWIK and nothing else! uaaaah!
How is it easily possible?
Thanks for help for a bloody lay!

Lukas · June 5, 2018, 1:46pm

BTW:

There is an open issue about removing the session cookie from the opt-out form (as it is not needed there)

github.com/matomo-org/matomo

Opt-out does not unset session ID for CSRF protection

opened 04:43PM - 06 Feb 18 UTC

closed 05:08AM - 03 May 19 UTC

sammacbeth

c: Security not-in-changelog

When using the form to opt-out of tracking (tested on https://matomo.org/privacy…-policy/): ![screen shot 2018-02-06 at 17 25 21](https://user-images.githubusercontent.com/248111/35870780-cdf4e4e2-0b62-11e8-892f-6172795ccc88.png) ## Expected behaviour The `PIWIK_SESSID` cookie is removed from my browser. ## Actual behaviour The `PIWIK_SESSID` cookie remains with its previous value. ## Discussion We have tested this on our own install and the opt out mechanism works, in the fact that this user's sessions do not appear in the dashboard. However, there are two primary concerns: 1. If the cookie remains, there is no guarantee tracking will not continue - one must trust that the server side is honoring the `piwik_ignore` cookie. The Privacy by Design approach would be to unset the session cookie, then every user can be sure that the identifier is no longer present. 2. From a compliance perspective (considering upcoming GDPR and ePrivacy regulations), if a user has explicitly opted-out of tracking, yet the identifier is still being sent by the client, I must be able to be 100% sure that this identifier is not being stored somewhere. On our installation I could see that a session ID for a user who was opted out from the start is still stored in the database. How can I verify that there are no other traces of this user in the database which could lead this to violate GDPR? Similarly any logs upstream on the webserver may need to be purged of this identifier. Therefore, it would be preferable if the server would remove/reset the `PIWIK_SESSID` cookie on opt-out, and enforce that this cookie does not persist. This would meet the goal on both sides: that the user can trust the opt-out mechanism, and that the administrator can prove compliance with user consent.

PraeSenZ · June 5, 2018, 2:02pm

Thanks, Lukas.
Is obviously and unfortunately not solved until DSGVO comes…

fdellwing · June 5, 2018, 2:49pm

Session cookies are excluded from the DSGVO [especially the ePrivacy paper] (as is my current knowlodge), so this should be no problem.

SebastianMoehler · June 6, 2018, 1:58pm

The solution looked great - until i tried to implement it

@PraeSenZ: if you are using wordpress, the following works.

Be advised though, i don’t usually code javascript. Could anybody check my work in case i’ve missed something?

Now, step for step to a working implementation.

First: back up your Wordpress and matomo files and databases! You are going to fiddle with some inner works of matomo here. Make sure you can get back to a working version if something goes wrong.

Then take the example code from the linked page and remove all newlines:

<div id="optout-form"><p>You may choose not to have a unique web analytics cookie identification number assigned to your computer to avoid the aggregation and analysis of data collected on this website.</p><p>To make that choice, please click below to receive an opt-out cookie.</p><p><input type="checkbox" id="optout" /><label for="optout"><strong></strong></label></p></div><script>document.addEventListener("DOMContentLoaded", function(event) {function setOptOutText(element) {_paq.push([function() {element.checked = !this.isUserOptedOut();document.querySelector('label[for=optout] strong').innerText = this.isUserOptedOut()? 'You are currently opted out. Click here to opt in.': 'You are currently opted in. Click here to opt out.';}]);}var optOut = document.getElementById("optout");optOut.addEventListener("click", function() {if (this.checked) {_paq.push(['forgetUserOptOut']);} else {_paq.push(['optUserOut']);}setOptOutText(optOut);});setOptOutText(optOut);});</script>

Log in to wordpress and edit the site with the current iFrame. Change from visual to text editor, remove the iFrame and instead paste the code from above.

(If you’re wondering about the removed line breaks: even in text mode, wordpress inserts <p> ... </p> tags around every line - this breaks the javascript if it contains more than one line).

Save, load the webpage (cookies still disabled in the matomo tracking code), click the checkbox-text and see… nothing. As it turns out, the request to not set cookies also affects the setting of the opt-out-cookie.

Now the fun starts, as we begin to change minimized javascript code. Go to your web space, get into the matomo installation dir and search for “piwik.js”. Make a copy (i.e. piwik.js.old), so you can get back without playing back the whole backup. Open “piwik.js” in an editor of your choice and search for “this.rememberConsentGiven=function(c5)”. For readability, here with newlines:

this.rememberConsentGiven=function(c5) {
  if(bd){
    ag("rememberConsentGiven is called but cookies are disabled, consent will not be remembered");
    return
  }

 if(c5) {
   c5=c5*60*60*1000
  }
  this.setConsentGiven();
  var c4=new Date().getTime();
  cZ(a6,c4,c5,bh,cL,bJ)
};

this.forgetConsentGiven=function() {
  if(bd) {
    ag("forgetConsentGiven is called but cookies are disabled, consent will not be forgotten");
    return
  }
  bP(a6,bh,cL);
  cZ(cB,new Date().getTime(),0,bh,cL,bJ);
  this.requireConsent()
};

this.isUserOptedOut=function(){return !bt};
this.optUserOut=this.forgetConsentGiven;
this.forgetUserOptOut=this.rememberConsentGiven;

remove the if(bd){...}-parts, so the function actually does anything:

this.rememberConsentGiven=function(c5){
if(c5){c5=c5*60*60*1000}this.setConsentGiven();var c4=new Date().getTime();cZ(a6,c4,c5,bh,cL,bJ)};this.forgetConsentGiven=function(){bP(a6,bh,cL);cZ(cB,new Date().getTime(),0,bh,cL,bJ);this.requireConsent()};this.isUserOptedOut=function(){return !bt};this.optUserOut=this.forgetConsentGiven;this.forgetUserOptOut=this.rememberConsentGiven;

That’s not enough, I’m afraid - you also need to disable the check for “not allowed cookies” in the function where the cookie is set (here cZ). You can’t outright remove the check, for this may also disable the no-cookie-parameter completely. So to be safe, use an optional override-parameter. Add , true to cZ(...) function calls:

this.rememberConsentGiven=function(c5){
if(c5){c5=c5*60*60*1000}this.setConsentGiven();var c4=new Date().getTime();cZ(a6,c4,c5,bh,cL,bJ,true)};this.forgetConsentGiven=function(){bP(a6,bh,cL);cZ(cB,new Date().getTime(),0,bh,cL,bJ,true);this.requireConsent()};this.isUserOptedOut=function(){return !bt};this.optUserOut=this.forgetConsentGiven;this.forgetUserOptOut=this.rememberConsentGiven;

Now search for “function cZ(”

function cZ(da,c8,c7,c9,c6,c5){if(bd){return}var c4;if(c7){c4=new Date();c4.setTime(c4.getTime()+c7)}G.cookie=da+"="+t(c8)+(c7?";expires="+c4.toGMTString():"")+";path="+(c9||"/")+(c6?";domain="+c6:"")+(c5?";secure":"")}

and add the override

function cZ(da,c8,c7,c9,c6,c5,overRide=false){if(!overRide&&bd){return}var c4;if(c7){c4=new Date();c4.setTime(c4.getTime()+c7)}G.cookie=da+"="+t(c8)+(c7?";expires="+c4.toGMTString():"")+";path="+(c9||"/")+(c6?";domain="+c6:"")+(c5?";secure":"")}

The function bP (removes cookie) needs a pass-through parameter as it calls cZ (Attention: add “,false,overRide” to the cZ function call - her it’s only called with 5 parameters instead of the expected 6)

function bP(c6,c5,c4,overRide=false){cZ(c6,"",-86400,c5,c4,false,overRide)}

Don’t forget to change the bP call in this.forgetConsentGiven:

bP(a6,bh,cL, true);

Lastly, there’s also a call to setConsentGiven, which also calls bP. This time, add the override only in the function call:

this.setConsentGiven=function(){bt=true;bP(cB,bh,cL,true);var c5,c4;for(c5=0;c5<cz.length;c5++){c4=typeof cz[c5];if(c4==="string"){bw(cz[c5],bA)}else{if(c4==="object"){c0(cz[c5],bA)}}}cz=[]}

That’s it - Save the file, reload the webpage and test it. Be sure to reload after every click on the opt-out / opt-in - even if you just make the first change (remove if(bd){...}), the text will toggle - but it won’t set the cookies.

This solution will not survive an update. If someone has a better idea to only set the opt-out cookie, i’m all ears.

Lukas · June 6, 2018, 2:30pm

Hi @SebastianMoehler ,

I really don’t want to ruin your huge accomplishment of dechiffering the minimized JS, but you know that Matomo is Open Source, right?

You can simply read through through the non-minifed and commented file here and follow the docs here to minify the edited file.

You don’t even have to go to Github as you can find all files in the js/ folder of Matomo.

That said not setting the opt-out when cookies are disabled sounds like a bug (or a too literal feature).

SebastianMoehler · June 7, 2018, 6:19am

Thanks for the info, next time I’ll only need half the time

This is by design - the description to rememberConsentGiven() states Please note that this feature requires you to set the 'cookieDomain' and 'cookiePath' correctly and requires that you do not disable cookies.

There seems to be no way to only allow opt-out-cookies which works out of the box yet.