The matomo URL is transmitting login credentials in the URL. This happens when the users are redirected after successful authentication. The login form method is set to POST in the FormLogin.php plugin. Is there a way to overcome this issue?
Even besides Matomo, you should make sure that the credentials never show up in the URL, because of server logs, browser history and similar things (unless I misunderstand you and the Matomo credentials show up in the Matomo URL).
So double-check that even if you submit the form via POST, that no GET parameter are set at all.
Once the user is logged into the Matomo administration console the matomo application is sending the login credentials in a URL to the tracking endpoint. Please see below example.
Do you use this form to log in?
Because it is set to
method="post" and therefore should never add the form values as GET parameters.
If you are using something else to log in, can you please expand on how your setup works?
Yes, we are using the same form to login
But as you see, once the login is complete, the form changes to GET method from POST as seen below:
Is it maybe possible that your webserver makes the browser do a redirect first?
Or is this the first request after entering the form?
Edit: I see now that the request from the screenshot is a GET request, but it also doesn’t transfer any credentials, but rather just fetches the core JS files, so there is nothing wrong with that.