Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure Google tracking cookies

Tags:

I use Google Analytics on some pages of my website. My entire site uses SSL. Is it possible to secure the cookies of Goole Analytics __umt*.

At least I would like to enable the secure flag on them. At best I would also like to set the HTTP only flag on them, but I don't think the latter is possible (because Google uses JS to use the cookies I think).

Is it possible to do this? And if so how to set it up?

like image 281
PeeHaa Avatar asked Feb 01 '12 10:02

PeeHaa


People also ask

Does Google tracking use cookies?

Some cookies and other technologies help sites and apps understand how their visitors engage with their services. For example, Google Analytics uses a set of cookies to collect information and report site usage statistics without personally identifying individual visitors to Google.

How do I secure my cookies?

You can ensure that cookies are sent securely and aren't accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute. A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.

What type of cookie is _GA?

The GA cookie is set when a person visits your website for the first time. Google Analytics sends the client ID with each hit to associate hits with a user. A GA cookie can exist only on the device and browser where it has been set.


2 Answers

Short of modifying the GA script and storing your own local copy, no, you're not going to be able to set secure or HttpOnly flags. I imagine Google has made a conscious design decision about this and certainty there can be advantages from being able to track the same user across both secure and insecure schemes.

You've got to ask yourself what you're trying to achieve with this though; what's the potential exploit if a man in the middle can intercept and read or manipulate the cookie due to lack of the secure flag? Same again with the HttpOnly flag; what's the upside for the attacker if they can retrieve this cookie via an XSS exploit?

I've seen this sort of feedback from automated security scanners before that are simply triggered by the missing flags without having the context of what the cookies are actually being used for. That would be my first guess at why a question like this would even come up.

like image 185
Troy Hunt Avatar answered Sep 24 '22 03:09

Troy Hunt


There is a new option called cookie_flags when loading the GA library.

ga('create', 'UA-XXXXX-Y', {     cookieFlags: 'max-age=7200;secure;samesite=none' }); 
like image 40
raik Avatar answered Sep 23 '22 03:09

raik