Last year the Chromium browser team announced they would change their default behaviour for cookies. In particular about a property called
samesite. Over the last few months, we have made various changes to our cookie handling to get Matomo ready for this. Depending on your setup and the features you use, some things may not work anymore.
You can avoid most of the issues by using HTTPS on your Matomo, and ideally also use HTTPS on your website(s).
If you are not running the latest version of Matomo yet (3.13.3 at the time of writing), then we highly recommend that you upgrade as soon as possible. Previous versions are not compatible with these cookie browser changes.
Opt out screen
If you embed the opt out screen on your website running on HTTP, there is a chance the Matomo opt out no longer works. In these cases it may still work over http:
- and when both the opt out and the JS tracker point to the same Matomo installation.
In other cases when HTTP is used, the opt out feature will likely be broken.
If the opt out is not working anymore, it is most likely due to HTTP being used. In that case you should change the opt out URL to HTTPS. For example change from
<iframe src=”http://…” to
<iframe src=”https://...” . If your Matomo doesn’t support HTTPS yet, you will need to contact your webhoster or system administrator to get SSL enabled on your Matomo domain.
But there is an edge case: when you are also reading Matomo’s cookie server side. You may be affected by this edge case issue when:
- you track part of the user behaviour in the browser (using Matomo JS Tracker),
- and also track user behavior in your server (for example using one of Matomo SDKs in PHP, Java, Python, C#, etc.).
In that case, for you to still be able to read the so-called
visitorId on your server, we recommend you add this line to your JS tracking code:
_paq.push([‘setSecureCookie’, location.protocol === 'https:']);
The cookie can be only retrieved if your website is loaded through HTTPS.
Should you have any questions, or notice anything isn’t working as expected, please visit our forum.
Third party cookies
If you are using third party cookies, using HTTPS on your Matomo is now a requirement to make them work across different domains. Otherwise Chrome and in the near future other browsers would not accept the cookie. If you don’t know if you are using third party cookies or first party cookies, you’re likely using first party cookies and this does not affect you.