Set Secure flag for ga cookies

[hsquek]

Hi everyone,

We recently had a penetration test done and found that ga cookies were not set with the secure attribute. As far as I know the only editable cookie fields are cookieDomain, cookieName and cookieExpires.

Is there another way to set the secure flag on these cookies, or is it not necessary to do so even from a security perspective? Feedback is much appreciated, thanks!

Edit
I tried setting the forceSSL flag (as below), but it doesn't work:

  ReactGA.initialize(_my_tracking_id, {
    gaOptions: {
      userId: options.userId,
      appId: options.appId,
    }
  });
  ReactGA.ga('set', 'forceSSL', true);

[hariria]

Had a question about this as well. I'm getting this error:

A cookie associated with a cross-site resource at http://doubleclick.net/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. 

if anyone has solutions to this please let me know

[hcz1]

I also need to know how to solve this, can't use GA in an iframe anymore due to the lack of SameSite and Secure, cookie flags.

[hcz1]

https://www.simoahava.com/analytics/cookieflags-field-google-analytics/ -> See this blog

[hcz1]

I've made a PR for this addition, I've tested it locally, works great -> #423

[jaedb]

@SimeonC do you have any guidance of when this will be merged? @hcz1 has a functioning and straightforward PR which is ready to roll.
I am frothing at the bit to get this in to production. If you need any help to get this released, please sing out!

[BrunoMorales]

This has been merged and released in v3.0.0. Thread should be closed.

[jamesholbert]

https://www.simoahava.com/analytics/cookieflags-field-google-analytics/ -> See this blog