Skip to content

Add optional configurable cookie allowlist for forwarded requests #99

Description

@sgiehl

Problem

The tracker proxy currently forwards the entire incoming Cookie header to the Matomo server whenever HTTP_COOKIE is present. In proxy.php, this happens via:

if (isset($_SERVER['HTTP_COOKIE'])) {
    $header[] = "Cookie: " . $_SERVER['HTTP_COOKIE'];
}

That means all cookies from the tracked site are forwarded, not just Matomo-related ones.

Why this matters

In practice, this may include unrelated or potentially sensitive cookie values. Even if these values are not easy to obtain or expose through normal usage, forwarding all cookies seems broader than necessary from a security and privacy perspective.

Since the proxy is intended to preserve Matomo tracking behavior and correct cookie handling, it would be useful to make cookie forwarding more restrictive and configurable. The README also explicitly notes that correct Matomo cookie behavior is important when deploying the proxy.

Proposal

Introduce an optional configurable cookie allowlist for forwarded cookies.

Suggested behavior:

  • By default, keep the current behavior for backward compatibility, or choose a safe default if maintainers prefer
  • Add a config option that allows specifying which cookie names may be forwarded to Matomo
  • When configured, only cookies on that allowlist should be included in the forwarded Cookie header
  • All other cookies should be dropped before the request is sent upstream

Expected use case

The allowlist would typically include all Matomo-related cookies, for example:

  • tracking cookies
  • opt-out cookie
  • any other Matomo cookies needed for correct behavior

This would let users limit forwarding to the cookies that are actually relevant for Matomo, while avoiding forwarding unrelated site/application cookies.

Possible implementation idea

A config value in config.php, for example:

$COOKIE_ALLOWLIST = array(
    '_pk_id',
    '_pk_ses',
    'mtm_consent',
    'mtm_consent_removed',
    'matomo_ignore',
    // etc.
);

Then parse $_SERVER['HTTP_COOKIE'], keep only allowed cookie names, and rebuild the Cookie header before forwarding.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions