Secure Google tracking cookies

Question

I use Google Analytics on some pages of my website. My entire site uses SSL. Is it possible to secure the cookies of Goole Analytics __umt*.

At least I would like to enable the secure flag on them. At best I would also like to set the HTTP only flag on them, but I don't think the latter is possible (because Google uses JS to use the cookies I think).

Is it possible to do this? And if so how to set it up?

score 22 · Answer 1 · answered Jul 07 '13 at 21:04

Short of modifying the GA script and storing your own local copy, no, you're not going to be able to set secure or HttpOnly flags. I imagine Google has made a conscious design decision about this and certainty there can be advantages from being able to track the same user across both secure and insecure schemes.

You've got to ask yourself what you're trying to achieve with this though; what's the potential exploit if a man in the middle can intercept and read or manipulate the cookie due to lack of the secure flag? Same again with the HttpOnly flag; what's the upside for the attacker if they can retrieve this cookie via an XSS exploit?

I've seen this sort of feedback from automated security scanners before that are simply triggered by the missing flags without having the context of what the cookies are actually being used for. That would be my first guess at why a question like this would even come up.

I'm not sure whether this was correct in the past. At least it is no longer correct now. — Mark Lagendijk, Jul 16 '21 at 06:41

score 17 · Answer 2 · edited Jun 06 '20 at 06:59

17

There is a new option called cookie_flags when loading the GA library.

ga('create', 'UA-XXXXX-Y', {
    cookieFlags: 'max-age=7200;secure;samesite=none'
});

edited Jun 06 '20 at 06:59

Peyman Mohamadpour

17,954
24
89
100

answered Jun 06 '20 at 06:31

raik

171
1
6

hi, where should i add this script? in all my jsp pages or where? – Robs Feb 13 '23 at 08:32

score 4 · Answer 3 · edited Jan 19 '23 at 23:46

4

Addition to raik's answer:

Even more info about setting more cookie values on analytics may be found in this blog post

For example how to do it using gtag:

gtag('config', 'G-N2A3NNNNN', {
  cookie_flags: 'max-age=7200;secure;samesite=none'
});

edited Jan 19 '23 at 23:46

damon

14,485
14
56
75

answered Feb 16 '21 at 12:52

Erik Melkersson

899
8
19

score -2 · Answer 4 · answered Feb 01 '12 at 10:56

The Google Analytics Cookies (yes, set via Js) are primary cookies, thus, only your domain is able to write those. So if it´s security your are looking for, that´s as secure as it gets.

Although, I´m not 100% sure about your question here, but if you are looking to enable Google Analytics only on HTTP pages, your can alter the GA code on your pages to do so in this way, as an example:

<script type="text/javascript">
  if(document.location.protocol != 'https:'){
     var _gaq = _gaq || [];
     _gaq.push(['_setAccount', 'UA-XXXXX-X']);
     _gaq.push(['_trackPageview']);

     (function() {
     var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
     ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') +   '.google-analytics.com/ga.js';
     var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
    })();
  }
</script>

OP is asking if the GA cookies can be set using the secure flag, as in http://en.wikipedia.org/wiki/HTTP_cookie#Secure_cookie — Yahel, Feb 03 '12 at 16:36

Secure Google tracking cookies

4 Answers4

Linked