New cookie behaviour in browsers may cause regressions

Last year the Chromium browser team announced they would change their default behaviour for cookies. In particular about a property called samesite. Over the last few months, we have made various changes to our cookie handling to get Matomo ready for this. Depending on your setup and the features you use, some things may not work anymore.

You can avoid most of the issues by using HTTPS on your Matomo, and ideally also use HTTPS on your website(s).

If you are not running the latest version of Matomo yet (3.13.3 at the time of writing), then we highly recommend that you upgrade as soon as possible. Previous versions are not compatible with these cookie browser changes.

Opt out screen

If you embed the opt out screen on your website running on HTTP, there is a chance the Matomo opt out no longer works. In these cases it may still work over http:

  • when the privacy policy page that embeds the opt out screen (via iframe) also has the Matomo JavaScript tracker embedded,
  • and when both the opt out and the JS tracker point to the same Matomo installation.

In other cases when HTTP is used, the opt out feature will likely be broken.

We recommend you test whether the opt out on your site still works by opening your privacy policy page in an incognito browser window. Then test to opt out of tracking, and then reload the page. If the checkbox “You are not opted out. Uncheck this box to opt out.” is still ticked, then your opt out is not working.

If the opt out is not working anymore, it is most likely due to HTTP being used. In that case you should change the opt out URL to HTTPS. For example change from <iframe src=”http://…” to <iframe src=”https://...” . If your Matomo doesn’t support HTTPS yet, you will need to contact your webhoster or system administrator to get SSL enabled on your Matomo domain.

JavaScript tracker

In most cases, everything related to the JavaScript Tracker will still work as expected.

But there is an edge case: when you are also reading Matomo’s cookie server side. You may be affected by this edge case issue when:

  • you track part of the user behaviour in the browser (using Matomo JS Tracker),
  • and also track user behavior in your server (for example using one of Matomo SDKs in PHP, Java, Python, C#, etc.).

In that case, for you to still be able to read the so-called visitorId on your server, we recommend you add this line to your JS tracking code:

_paq.push([‘setSecureCookie’, location.protocol === 'https:']);

The cookie can be only retrieved if your website is loaded through HTTPS.

Should you have any questions, or notice anything isn’t working as expected, please visit our forum.

Third party cookies

If you are using third party cookies, using HTTPS on your Matomo is now a requirement to make them work across different domains. Otherwise Chrome and in the near future other browsers would not accept the cookie. If you don’t know if you are using third party cookies or first party cookies, you’re likely using first party cookies and this does not affect you.

Share this post