Matomo: Default setSecureCookie to true

Thanks for your suggestion. Guess might make sense to expect secure cookies by default.
Might be something we could evaluate for Matomo 4. It kind of breaks BC, as the tracking code needs to be adjusted for HTTP sites

I think this might be even worth breaking BC for as the alternative is having everyone using HTTPS (which should be far more people than those that don't) edit their tracking code.

We had this topic few days ago in slack. Problem is when your site is not fully https, and eg some pages are http and some are https then you end up with different cookies and different visitor IDs etc.

Many people are still using http, and for example have a login on https etc. Seeing this sometimes while investigating issues. Of course they could then just remove the line from the suggested tracking code. Would need to make sure the default tracking code we suggest has a comment next to it explaining things and explains when to remove it etc.

serving Matomo over https should be expected -

In this case it's the user website that matters as we are setting a first party cookie unless I'm not seeing it?

Assuming we make secure cookies the default setting, we could extend the tracking code generator with an additional option My site is served https only, which is checked by default. And when you uncheck it the _paq.push(['setSecureCookie', false]); is added?

BTW we should maybe rather make such a change as part of Matomo 5. Because when you change this, it can cause issues when users have HTTPS and HTTP traffic as it would create different visitors depending on protocol.

Not sure what the benefit is though. If someone only uses HTTPS (which many sites do), then this should basically not even be needed to be called as there wouldn't be much of a benefit?