Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure Google tracking cookies

Tags:

I use Google Analytics on some pages of my website. My entire site uses SSL. Is it possible to secure the cookies of Goole Analytics __umt*.

At least I would like to enable the secure flag on them. At best I would also like to set the HTTP only flag on them, but I don't think the latter is possible (because Google uses JS to use the cookies I think).

Is it possible to do this? And if so how to set it up?

like image 281
PeeHaa Avatar asked Feb 01 '12 10:02

PeeHaa

People also ask

Does Google tracking use cookies?

Some cookies and other technologies help sites and apps understand how their visitors engage with their services. For example, Google Analytics uses a set of cookies to collect information and report site usage statistics without personally identifying individual visitors to Google.

How do I secure my cookies?

You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.

What type of cookie is _GA?

The GA cookie is set when a person visits your website for the first time. Google Analytics sends the client ID with each hit to associate hits with a user. A GA cookie can exist only on the device and browser where it has been set.

2 Answers

Short of modifying the GA script and storing your own local copy, no, you're not going to be able to set secure or HttpOnly flags. I imagine Google has made a conscious design decision about this and certainty there can be advantages from being able to track the same user across both secure and insecure schemes.

You've got to ask yourself what you're trying to achieve with this though; what's the potential exploit if a man in the middle can intercept and read or manipulate the cookie due to lack of the secure flag? Same again with the HttpOnly flag; what's the upside for the attacker if they can retrieve this cookie via an XSS exploit?

I've seen this sort of feedback from automated security scanners before that are simply triggered by the missing flags without having the context of what the cookies are actually being used for. That would be my first guess at why a question like this would even come up.

like image 185
Troy Hunt Avatar answered Sep 24 '22 03:09

Troy Hunt

There is a new option called cookie_flags when loading the GA library.

ga('create', 'UA-XXXXX-Y', {     cookieFlags: 'max-age=7200;secure;samesite=none' });
like image 40
raik Avatar answered Sep 23 '22 03:09

raik
Sign in to Comment

Related questions

iframe with external page not working
Download MP3 from Google Translate text to speech
Is there any notification for detecting AirPlay in Objective-C?
Can I disable the UIPageViewController's page border gesture recognizers? And keep the swipe one?
Positioning tables and charts in BIDS SSRS
Pythonic way to have a choice of 2-3 options as an argument to a function
Common Lisp: convert between lists and arrays
Sort legend in ggplot2
List<Foo> as form backing object using Spring 3 MVC, correct syntax?
git track, ignore, delete, untrack
Is it possible to speed up maven artifacts downloading?
How to unpack multiple tuples in function call

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!