_pk_id and _pk_ses cookies set by Matomo is not HTTPOnly

nagesh_siddamsetty · December 7, 2022, 2:47pm

Hi,

I guess this question was asked earlier but I could not see any response for that so just posting the question again.

During penetration testing there has been a security concern about not having the _pk_id and _pk_ses cookies as HTTPonly.

We are using Matomo version 3.13.2 and 4.10.1 in different environments.

Is it possible to set above cookies as HTTPonly? If not can we disable these cookies to address the security issue and if we disable them will it have any impact on Matomo tracking functionality.

Regards

heurteph-ei · December 7, 2022, 2:54pm

I think there is a ticket that replies to your question:

github.com/matomo-org/matomo

Security: Cookie Does Not Contain The "HTTPOnly" Attribute

opened 11:59AM - 24 Jun 20 UTC

closed 02:30PM - 24 Jun 20 UTC

qualle

answered

The Cookie `"_pk_testcookie.1.b4ee=1; _pk_id.1.b4ee=..."` is set by matomo, whic…h leads to a security warning `"Security: Cookie Does Not Contain The "HTTPOnly" Attribute"` on the security scanner qualysguard. Can you add the HTTPOnly Attribute? How to reproduce: Run a security test on any site with installed matomo (for eg. with qualysguard from qualys). Check results. Expected behaviour: No warnings from the security scanner. Greetings

nagesh_siddamsetty · December 7, 2022, 2:57pm

Thank you for your response.

It says that we cannot set the cookies as HTTPonly.

But I wanted to know if there is a way to disable these cookies to address the security issue and if we disable them will it have any impact on Matomo tracking functionality.

heurteph-ei · April 13, 2023, 9:53am

Hi @nagesh_siddamsetty
You can maybe track with no cookie:

nagesh_siddamsetty · April 13, 2023, 11:26am

Ok, will check. Thanks for coming back on this.