Contrib.social

Secure _ga_* cookies

Open on Drupal.org β†’
Created on 22 July 2024, 3 months ago
Updated 1 August 2024, 3 months ago

I am trying to understand how these _ga_* cookies are generated a bit better while I am working to respond to the results of a security scan. Basically, in a basic page load, I seem to get three cookies by google tag manager. e.g.

_ga
_ga_ABC123
_ga_XYZ890

While both of the cookies that are prepended by a tag id have the same value, only one of these gets set with the "SameSite" and "Secure" attributes. The security scan I am investigating called this out:

  • The cookie does not contain the "secure" attribute.
  • Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
  • If the associated risk of a compromised account is high apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.

Now I'm wondering if this is a bit of a nonsensical result in the scan, but I don't really know how these cookies are managed, or why one is set to secure and the other is not. Is it that there is an insecure version of the same cookie value so GTM can identify users that switch between http and https? Our site forces https via redirects at the webserver level, so users should never see the site in regular http. Is there a way to eliminate the non secure cookie? I've seen mentions of the "cookie_flags" attribute that seems to be available in GA4 now. Is this an option that can be implemented in this module?

πŸ’¬ Support request
Status

Active

Version

2.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States bburg Washington D.C.

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @bburg
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bburg Washington D.C.

    It seems like the js code is potentially already equipped to handle setting the cookie_flags value through the "Custom dimensions and metrics" from the back-end, but just based on the naming, it doesn't seem like that's not how it was intended to be used (also, the "dimensions' and "metrics" seem functionally identical here?).

  • Comment 3 months ago β†’
    πŸ‡¨πŸ‡΄Colombia yovanny.gomez.oyola

    Hi @bburg,

    We are encountering the same issue, but it only appears in Mozilla Firefox; there are no warnings in Google Chrome.

    How can we resolve this? Is it necessary to apply a patch to the module, or can this be adjusted from the Drupal backend?

    Thank you, and I look forward to your feedback.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024