SameSite issue with tracking cookies when using a site inside an iframe

beger · September 14, 2020, 6:27am

Hello all,
I have the following scenario: I have Matomo tracking set up for a site that is both used directly and inside a different site’s context in an iframe.

Now I have the following problem: since the Matomo tracking cookies (_pk_id.* and _pk_ses.*) are set with a SameSite policy of “Lax”, they are inaccessible for the site inside the iframe. This means that not only is the user not recognized as the same user who is using the site outside the iframe, but each tracking request inside the iframe is issued as a new visit although it still is the same user.

Is there any way I can configure Matomo to set the tracking cookies with a SameSite policy of “None”?

beger · September 14, 2020, 6:53am

I did some more research on this and it seems that it should be possible with Matomo 3.14.1 (we are currently on 3.14) where this change is implemented:

Make it possible to configure cookie options for Secure, HTTPOnly and SameSite (https://github.com/matomo-org/matomo-php-tracker/pull/73)

What I’m not sure about is how these configuration parameters are set. Do I have to change the tracking code and set the parameters like this:

_paq.push(['setCookieSameSite', 'None']);
_paq.push(['setCookieSecure', true]);

Can somebody confirm this?

bwilliam13 · February 3, 2021, 12:20am

I’m wondering the same thing. I also saw this in the release notes for 3.14.1…but that’s all I see. I have no idea how we’d actually turn this on.