Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#1376 closed Bug (fixed)

"Ignore" cookie works only for current website

Reported by: PietroBattiston Owned by: vipsoft
Priority: normal Milestone: Piwik 0.6.2
Component: Core Keywords:
Cc: Sensitive: no

Description

Hello, this is my situation:

  • domain www.a.it and domain www.b.it hosted by the same server
  • www.a.it/piwik and www.b.it/piwik pointing to the same piwik instance

If I login to www.a.it/piwik and, in the preferences, set the cookie to ignore my visits, my visits to www.b.it are _not_ ignored.

If I login to www.b.it/piwik, I find that indeed the cookie is _not_ reported as set. If I set it there, I finally get that my visits to www.b.it _are_ ignored.

Now, as a matter of principle this wouldn't be a terrible issue. However, the GUI for setting the cookie explicitly says "will exclude your visits on websites tracked by Piwik", so I guess there's some problem.

Please feel free to ask me for specific informations (or to blame me for having missed something trivial).

Pietro

Change History (13)

comment:1 Changed 4 years ago by PietroBattiston

Well, some information that I should provide without being asked: running piwik 0.6.1.

comment:2 Changed 4 years ago by halfdan

Your case is somewhat unusual with piwik running under two different domains. In fact if you set the cookie on a.it/piwik only websites that have a.it in their tracking code are excluded from the statistics.
Basically a cookie is bound to the domain that created it (a.it) and will only be sent by your browser if you visit a page on the same domain (a.it). This is the reason the same Piwik instance doesn't know about your cookie when you visit it using b.it.

comment:3 Changed 4 years ago by vipsoft (robocoder)

  • Keywords cookie ignore removed
  • Milestone set to 0 - Piwik 0.6.2
  • Resolution set to invalid
  • Status changed from new to closed

Halfdan's right. This is an intentional browser limitation to prevent cross-domain cookie hijacking.

comment:4 Changed 4 years ago by PietroBattiston

I imagined it, and that's perfectly fine. But all the piwik management interface is absolutely general in terms of number and address and websites tracked, so add to it that the link to set the cookie says

"› Click here to set a cookie that will exclude your visits on websites tracked by Piwik "

and you understand that it is very misleading. Please explain, near that link, what you just wrote to me, change the link text to "click here to set a cookie that will exclude your visits on currentdomain.it and subpages", and that's fine.

Notice that my case of piwik running under two domains may be unusual, but the case of tracking two different domains is certainly not, and the same problem applies (err, no, it's worse... but then, it's not your fault).

comment:5 Changed 4 years ago by matt (mattab)

  • Resolution invalid deleted
  • Status changed from closed to reopened

did you use DNS aliases to have both domains under the same piwik?

I would think that anybody using DNS aliases would understand how cookies work, but again I agree the message could be improved. reopening

comment:6 Changed 4 years ago by PietroBattiston

I personally have no idea of what a DNS alias is.

To have both domains under the same piwik, I started, as suggested on the piwik forums (sorry, at the moment can't find where) with a bare symlink to a single piwik instance from two root directories of two different apache2 virtual servers. I'm sure people that play with apache configuration outnumber people who play with advanced DNS settings.

Then, I lately switched to using something like

Alias /piwik "/path/to/piwik/"
<Directory "/path/to/piwik/">

Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
allow from all

</Directory>

in the apache2 configuration for each site (I did that for cleanness, but also because apparently - didn't investigate really a lot - if the real piwik install was reached through a symlink pointing to a symlink, then the web interface missed any image, css and so on - if you're interested in that, I can try to replicate and file a separate bug).

My main problem is that I want to access statistics for different sites via the same administrative interface, but those are unrelated sites, so I don't want visitors of site b.it to see that they're connecting (or see in the html an address) to site a.it (btw, that's exactly the reason why I'm migrating away from Google Analytics).

Piwik is great at that, except where it can't, like in this case: and I think just stating it can't solves the problem.

Then, the perfection would be that the administrative interface does the following:

  • I open it through a.it/piwik
  • it knows that b.it is tracked through b.it/piwik, so tells me "hey, click here, but know that this particular ignore cookie will only affect site tracked through a.it/piwik"
  • so it opens a small frame, or pulls a javascript, or anything, from b.it/piwik that allows me to manage the cookie for b.it (and all sites tracked through b.it), so that I see a nice button "hey, click here, but know that this particular ignore cookie will only affect site tracked through b.it/piwik"
  • and does so for any other *.*/piwik that it has detected

But that introduces a non trivial layer of abstraction that I'm not sure piwik is interested in (and my php skills and time availability are not big enough...).

comment:7 Changed 4 years ago by vipsoft (robocoder)

Using JavaScript/iframes could be ugly -- there's a similar cross domain scripting limitation with XmlHttpRequest, and hackish workarounds for iframes on IE and Safari, eg http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/

I'm not even sure if we can tackle this as part of the first-party cookie implementation in #557.

comment:8 Changed 4 years ago by PietroBattiston

(If I give another proof of my ignorance, it's the last one, but...) why should the XmlHttpRequest limitation be a problem here, if the javascript is _downloaded_ from the other site?! I can't see the difference from a normal tracking javascript.

comment:9 Changed 4 years ago by vipsoft (robocoder)

Suppose we have a site with 2 sites being tracked, with the following URLs:

idsite=1:

  • www.site1.com - main domain
  • www.site1.net - an alias domain
  • mydomain.com/site1 - a subdomain

idsite=2:

  • www.site2.com - main domain
  • www.site2.net - an alias domain
  • mydomain.com/site2 - a subdomain

Let's also say the Piwik tracker can be accessed as a folder in any of the above, e.g., www.site1.com/piwik, www.site1.net/piwik, mydomain.com/site1/piwik, etc.

And just to make it interesting, let's say I access my master Piwik installation via mystats.com.

If I click on "set a cookie to exclude my visits", we would actually need to generate piwik-ignore cookies for all 6 domains. The JavaScript (loaded from mystats.com) cannot call the API on site1.com, site1.net, site2.com, site2.net, or mydomain.com using XmlHttpRequest because of the cross domain scripting restriction (unless the user has changed their default browser security settings to enable this).

comment:10 Changed 4 years ago by PietroBattiston

Sure; I was thinking about a server-generated page that would contain _hardcoded_ references to (possibly very light, and ordered in more pages, if they are a lot) javascripts retrieved each from the relative domain, and a "set a cookie to exclude my visits to x.it" for each x.it.

Then the exact mapping between tracked sites and "tracking points" could be studied in detail, what I just mean is that _certainly_ some work on the php side would be needed. On the other hand, I don't see how a web interface showing the "tracking points" possibly distributed in more pages, each page pulling something like 5 javascripts (from 5 different domains) which very few lines of code each, would really constitute a problem

But feel free to skip the details if you really think it's unfeasible, I don't want to loose your time.

comment:11 Changed 4 years ago by vipsoft (robocoder)

  • Owner set to vipsoft
  • Status changed from reopened to new

Retrieving JavaScript from each site (to workaround the cross domain limitation) would require the user to specify the location of the piwik folder in each tracked site, if any, _per_ URL. That can be onerous for Piwik users, just so the click-to-exclude code can locate:

site1.com/piwik/x.js, site2.com/stats/x.js, mystats.com/x.js

Perhaps we can implement this using image requests (like the web bug image).

comment:12 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [2214]) quick fixes #1376 - add cookie domain to link text, i.e.,

Click here to set a cookie that will exclude your visits on websites tracked by Piwik on MYSITE.TLD

comment:13 Changed 4 years ago by PietroBattiston

My point was precisely that the piwik install itself would bear the task of remembering from where it is accessed, the user should at most ensure that one visit is done before trying to set the cookie.

But again, the implemented solution is perfectly accettable, thanks.

Note: See TracTickets for help on using tickets.