_pk_ref cookie not secured

I set all cookies from matomo on-premise like secured, but _pk_ref is not. I dont know, what should be a reason. Can anybody helps?


This has been reported in

and fixed in

(for Matomo 4)

What is the solution to _pk_ref cookie? My application is complaining for this cookie too. I have integrated Matomo via “ngx-matomo - V 0.1.4”. Please advice.


Hi @nidhi,

The fix above has been applied to Matomo 4, so it will be fixed once it is released.

As the change is quite simple, you could until then manually apply them to the matomo.js files:

Thanks Lukas. So just to confirm, to fix manually in my application I should run : rebuilt piwik.js ? From the topic discussion it looks like, this will set _pk_ref cookie to secure.



The easiest way is to manually apply this change to the js/piwik.js and then follow this guide to regenerate the minified versions.

diff --git a/js/piwik.js b/js/piwik.js
index 5fb12e6ef33..31e05210de2 100644
--- a/js/piwik.js
+++ b/js/piwik.js
@@ -3587,7 +3587,7 @@ if (typeof window.Piwik !== 'object') {
                             purify(referralUrl.slice(0, referralUrlMaxLength))
-                        setCookie(cookieReferrerName, windowAlias.JSON.stringify(attributionCookie), configReferralCookieTimeout, configCookiePath, configCookieDomain);
+                        setCookie(cookieReferrerName, windowAlias.JSON.stringify(attributionCookie), configReferralCookieTimeout, configCookiePath, configCookieDomain, configCookieIsSecure);
@@ -3682,7 +3682,7 @@ if (typeof window.Piwik !== 'object') {
                     if (configStoreCustomVariablesInCookie) {
-                        setCookie(cookieCustomVariablesName, windowAlias.JSON.stringify(customVariables), configSessionCookieTimeout, configCookiePath, configCookieDomain);
+                        setCookie(cookieCustomVariablesName, windowAlias.JSON.stringify(customVariables), configSessionCookieTimeout, configCookiePath, configCookieDomain, configCookieIsSecure);

If you can’t do this, you have to manually apply the change in the minified version which might be not that practical.