I guess this question was asked earlier but I could not see any response for that so just posting the question again.
During penetration testing there has been a security concern about not having the _pk_id and _pk_ses cookies as HTTPonly.
We are using Matomo version 3.13.2 and 4.10.1 in different environments.
Is it possible to set above cookies as HTTPonly? If not can we disable these cookies to address the security issue and if we disable them will it have any impact on Matomo tracking functionality.
I think there is a ticket that replies to your question:
Thank you for your response.
It says that we cannot set the cookies as HTTPonly.
But I wanted to know if there is a way to disable these cookies to address the security issue and if we disable them will it have any impact on Matomo tracking functionality.
You can maybe track with no cookie:
Ok, will check. Thanks for coming back on this.