Tracking Cookie gets set if "DNT=1"

[85pando]

We use Piwik with the cookies disabled: use_third_party_id_cookie = 0 and _paq.push(['disableCookies']); (trying not to have to display those stupid EU-warnings about Cookies).

Unfortunately it seems the case that there is some mixup. If "do not track" is disabled in the browser everything is fine, if it is enabled a Cookie is set.
I think the idea of this cookie is to "delete" cookies that might have been set before, as the expiration is before the cookie is actually set. If this is the case, the correspoding page in the FAQ should probably be updated to include this.

Piwik version is 2.16.1.

[tsteur]

The cookie should be set with a date in the past and be deleted immediately. This "delete" cookie is basically set to delete any existing cookies. We could make it a bit smarter and set the delete cookie only if one is actually set currently which is likely the case unless disableCookies was called before like in your case.

Solution would be to send along the tracking request whether cookies are disabled and then consider this server side as well.

[85pando]

This "delete" cookie is basically set to delete any existing cookies.

That's what I thought it's for (-:

The cookie should be set with a date in the past and be deleted
immediately.

In Firefox that's true, in Chrome however the expired cookie is stored.
We just want to prevent those EU-cookie-warnings, so we'd rather have no
cookies at all.

Solution would be to send along the tracking request whether cookies
are disabled and then consider this server side as well.

Another idea would be to make disable-cookies an enum with {false | delete | true} or add a second flag like disable-delete-cookies or something like that. In this way the server admin could decide, what
should be used.

[tsteur]

A workaround so far would be maybe to call deleteCookies after each tracking request. Eg _paq.push(['trackPageview']);_paq.push(['deleteCookies']) but I haven't tried whether it actually works.

[85pando]

To clarify, the cookie is not set in Chrome but it is displayed in the cookie list with a 2015 expiration date. There certainly is a valid use case for the pk_uid=deleted cookie, namely to delete a cookie that was previously set.
However, for sites like ours that have never set such a cookie in the past, this is unnecessary. We fear that users who check if the site sets any cookies, will just see that there is a cookie being set and are not looking at the expiration date.

We will try you workaround suggestion and get back here.

[85pando]

Can confirm that this prevents storage of the cookie as a workaround.

[85pando]

Alternatively, my collegue also added this to the virtual host of the piwik server (Apache) before I set _paq.push(['deleteCookies']):

<VirtualHost […]>
    ServerName piwik.[…]
    […]
    SetEnvIf Request_URI "^/piwik\.php" is_tracker
    Header unset Set-Cookie env=is_tracker
</VirtualHost>