Opt-Out-iFrame sets Session Cookie

Hello there,

I’m trying to use Matomo without cookies if possible. The opt-out-cookie is acceptable, though.

Using this FAQ-entry, I succeeded - or so i thought. As soon as I load the web page where I placed the opt-out-iFrame, I still get a session cookie (PIWIK_SESSID), even if I don’t click on the opt-out.

Is there a way to prevent the iFrame from setting the session cookie? I’m not afraid to change some files within the installation, if it comes to that - but i need some pointers to do that.

Any help would be greatly appreciated.

I don’t think this is possible without writing your own optout solution and not embedding it via iframe.

Hi,

Since Matomo 3.5.0 this is easily possible:
https://developer.matomo.org/guides/tracking-javascript-guide#optional-creating-a-custom-opt-out-form

Thank you, that’s it!

This also solves another problem: i wasn’t quite satisfied with the look of the iFrame. With this it will fit in nicely.

Sorry, I am not a code specialist, but have the same problem.
No cookies allowed, but the Matomo cookie is set - just on the privacy page where I wrote that Matomo doesn´t set cookies, wonderful!! And I do not mean the ignore cookie…
I was searching on the page linked by you, Lukas, but this is really chinese to me.
I ONLY want no (IMHO obsolete) cookie set by PIWIK and nothing else! uaaaah! :smile:
How is it easily possible?
Thanks for help for a bloody lay! :wink:

BTW:

There is an open issue about removing the session cookie from the opt-out form (as it is not needed there)

Thanks, Lukas.
Is obviously and unfortunately not solved until DSGVO comes… :frowning:

Session cookies are excluded from the DSGVO [especially the ePrivacy paper] (as is my current knowlodge), so this should be no problem.

The solution looked great - until i tried to implement it :smiley:

@PraeSenZ: if you are using wordpress, the following works.

Be advised though, i don’t usually code javascript. Could anybody check my work in case i’ve missed something?

Now, step for step to a working implementation.

First: back up your Wordpress and matomo files and databases! You are going to fiddle with some inner works of matomo here. Make sure you can get back to a working version if something goes wrong.

Then take the example code from the linked page and remove all newlines:

<div id="optout-form"><p>You may choose not to have a unique web analytics cookie identification number assigned to your computer to avoid the aggregation and analysis of data collected on this website.</p><p>To make that choice, please click below to receive an opt-out cookie.</p><p><input type="checkbox" id="optout" /><label for="optout"><strong></strong></label></p></div><script>document.addEventListener("DOMContentLoaded", function(event) {function setOptOutText(element) {_paq.push([function() {element.checked = !this.isUserOptedOut();document.querySelector('label[for=optout] strong').innerText = this.isUserOptedOut()? 'You are currently opted out. Click here to opt in.': 'You are currently opted in. Click here to opt out.';}]);}var optOut = document.getElementById("optout");optOut.addEventListener("click", function() {if (this.checked) {_paq.push(['forgetUserOptOut']);} else {_paq.push(['optUserOut']);}setOptOutText(optOut);});setOptOutText(optOut);});</script>

Log in to wordpress and edit the site with the current iFrame. Change from visual to text editor, remove the iFrame and instead paste the code from above.

(If you’re wondering about the removed line breaks: even in text mode, wordpress inserts <p> ... </p> tags around every line - this breaks the javascript if it contains more than one line).

Save, load the webpage (cookies still disabled in the matomo tracking code), click the checkbox-text and see… nothing. As it turns out, the request to not set cookies also affects the setting of the opt-out-cookie.

Now the fun starts, as we begin to change minimized javascript code. Go to your web space, get into the matomo installation dir and search for “piwik.js”. Make a copy (i.e. piwik.js.old), so you can get back without playing back the whole backup. Open “piwik.js” in an editor of your choice and search for “this.rememberConsentGiven=function(c5)”. For readability, here with newlines:

this.rememberConsentGiven=function(c5) {
  if(bd){
    ag("rememberConsentGiven is called but cookies are disabled, consent will not be remembered");
    return
  }

 if(c5) {
   c5=c5*60*60*1000
  }
  this.setConsentGiven();
  var c4=new Date().getTime();
  cZ(a6,c4,c5,bh,cL,bJ)
};

this.forgetConsentGiven=function() {
  if(bd) {
    ag("forgetConsentGiven is called but cookies are disabled, consent will not be forgotten");
    return
  }
  bP(a6,bh,cL);
  cZ(cB,new Date().getTime(),0,bh,cL,bJ);
  this.requireConsent()
};

this.isUserOptedOut=function(){return !bt};
this.optUserOut=this.forgetConsentGiven;
this.forgetUserOptOut=this.rememberConsentGiven;

remove the if(bd){...}-parts, so the function actually does anything:

this.rememberConsentGiven=function(c5){
if(c5){c5=c5*60*60*1000}this.setConsentGiven();var c4=new Date().getTime();cZ(a6,c4,c5,bh,cL,bJ)};this.forgetConsentGiven=function(){bP(a6,bh,cL);cZ(cB,new Date().getTime(),0,bh,cL,bJ);this.requireConsent()};this.isUserOptedOut=function(){return !bt};this.optUserOut=this.forgetConsentGiven;this.forgetUserOptOut=this.rememberConsentGiven;

That’s not enough, I’m afraid - you also need to disable the check for “not allowed cookies” in the function where the cookie is set (here cZ). You can’t outright remove the check, for this may also disable the no-cookie-parameter completely. So to be safe, use an optional override-parameter. Add , true to cZ(...) function calls:

this.rememberConsentGiven=function(c5){
if(c5){c5=c5*60*60*1000}this.setConsentGiven();var c4=new Date().getTime();cZ(a6,c4,c5,bh,cL,bJ,true)};this.forgetConsentGiven=function(){bP(a6,bh,cL);cZ(cB,new Date().getTime(),0,bh,cL,bJ,true);this.requireConsent()};this.isUserOptedOut=function(){return !bt};this.optUserOut=this.forgetConsentGiven;this.forgetUserOptOut=this.rememberConsentGiven;

Now search for “function cZ(”

function cZ(da,c8,c7,c9,c6,c5){if(bd){return}var c4;if(c7){c4=new Date();c4.setTime(c4.getTime()+c7)}G.cookie=da+"="+t(c8)+(c7?";expires="+c4.toGMTString():"")+";path="+(c9||"/")+(c6?";domain="+c6:"")+(c5?";secure":"")}

and add the override

function cZ(da,c8,c7,c9,c6,c5,overRide=false){if(!overRide&&bd){return}var c4;if(c7){c4=new Date();c4.setTime(c4.getTime()+c7)}G.cookie=da+"="+t(c8)+(c7?";expires="+c4.toGMTString():"")+";path="+(c9||"/")+(c6?";domain="+c6:"")+(c5?";secure":"")}

The function bP (removes cookie) needs a pass-through parameter as it calls cZ (Attention: add “,false,overRide” to the cZ function call - her it’s only called with 5 parameters instead of the expected 6)

function bP(c6,c5,c4,overRide=false){cZ(c6,"",-86400,c5,c4,false,overRide)}

Don’t forget to change the bP call in this.forgetConsentGiven:

bP(a6,bh,cL, true);

Lastly, there’s also a call to setConsentGiven, which also calls bP. This time, add the override only in the function call:

this.setConsentGiven=function(){bt=true;bP(cB,bh,cL,true);var c5,c4;for(c5=0;c5<cz.length;c5++){c4=typeof cz[c5];if(c4==="string"){bw(cz[c5],bA)}else{if(c4==="object"){c0(cz[c5],bA)}}}cz=[]}

That’s it - Save the file, reload the webpage and test it. Be sure to reload after every click on the opt-out / opt-in - even if you just make the first change (remove if(bd){...}), the text will toggle - but it won’t set the cookies.


This solution will not survive an update. If someone has a better idea to only set the opt-out cookie, i’m all ears.

Hi @SebastianMoehler ,

I really don’t want to ruin your huge accomplishment of dechiffering the minimized JS, but you know that Matomo is Open Source, right? :slightly_smiling_face:

You can simply read through through the non-minifed and commented file here and follow the docs here to minify the edited file.

You don’t even have to go to Github as you can find all files in the js/ folder of Matomo.

That said not setting the opt-out when cookies are disabled sounds like a bug (or a too literal feature).

Thanks for the info, next time I’ll only need half the time :slight_smile:

This is by design - the description to rememberConsentGiven() states Please note that this feature requires you to set the 'cookieDomain' and 'cookiePath' correctly and requires that you do not disable cookies.

There seems to be no way to only allow opt-out-cookies which works out of the box yet.

1 Like