-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not track the data when a token_auth is set to the Tracking API but is not valid #7202
Comments
Does the given auth token have admin permission for that site or super user permission? Is the token auth present in the original URL? |
The auth token has admin permission, and $t->setForceVisitDateTime works perfectly fine, which is only possible with admin/super user permissions. The auth token is contained as POST variable, not in the URLs, as I am doing bulk tracking - I guess I should have included a "$t->doBulkTrack();" at the end of my example to make it more clear. Everything within PiwikTracker.php looks fine, that is why I am concluding that the tracker API is ignoring the cip-parameter somehow. |
Maybe this is just a bug with bulk tracking? It is probably easy to find out if one knows the piwik API code. |
I just tried to reproduce this via bulk tracking (via PiwikTracker) but worked fine for me. I also had a look at I tested using the latest 2.11 beta version so it is also possible that it was fixed somehow but I doubt that. I tried it with a super user token and an admin token. |
Where can I find out all the tokens which are valid? I never changed the tokens and my script used to work (and it did not change either), but maybe Piwik changed the tokens after the upgrade? That's the only explanation I can come up with if the problem is with the token. And how can I completely disable the tracking API when used without a valid token? This seems like a huge security risk to me (and everybody can theoretically change the statistics, if they know the URL). |
I checked for the API token when logged in to Piwik, changed it in my code, and the IPs are being set again when running my script. The problems started immediately after upgrading from 2.9.0 to 2.9.1 - I did not change the token or anything else about the user account, at that time I did not use the account, I only updated the Piwik version. I still see huge problems with the current workings of Piwik in this regard:
|
Re 1) There is for example Re 2) I agree, I was thinking about this as well. If token is not valid we should not simply ignore the values but not insert the request at all or somehow differently make clear that there is an error. Ping @mattab |
👍 Maybe this issue scope could be "Throw an error/exception when a token is set to the Tracking API but is not valid" ? |
From my perspective the following changes would be great:
|
There is a valid reason for this since bulk tracking is eg used by some clients by default eg the iOS tracker and we can't require a token here. If someone wants to overload your Piwik installation, one can do it without bulk requests as well and maybe even easier by just sending many single tracking requests. As you said the javascript tracking code is the reason for this. An option to only allow the tracking with code sounds good to me. PiwikTracker.php checking the tracking response code and throwing an exception sounds good to me as well. |
Ok, for a default setting there are always different possibilities according to preferences. Personally, I would set it to true by default, but changing it now would break existing applications, which is not great. With a new option to restrict tracking to auth tokens and the exceptions in PiwikTracker when invalid auth tokens are used, my problem or anything like it should not occur anymore. |
I had this issue with tracking requests. Auth_token changed autonomously with an upgrade and subsequently the cip parameter of all tracking requests was replaced with the server ip. I too now have months of invalid ip addresses, which for an analytics system means this is quite important. |
Piwik does not change token_auth automatically - however token is changed whenever the password is changed. I will rename this issue to reduce the scope to (implementation note: i think the only way to do this will be that Tracking API returns an error eg |
My token_auth definitely changed when I upgraded Piwik - I did not change my password or my account in any way. That is how my problems with the wrong IPs started. |
we can't start throwing errors as it could stop tracking data for some Piwik setup: it's an API BC break (it would start showing errors when it used to track data). Moving to |
It wouldn't track anyway or not? Or maybe it would track wrong data. I'm not sure but this sounds actually useful. How would other people notice that the tracking doesn't work properly anymore? This also relates to #7550 IMO if a token auth is set, and it is not valid, it should not track anything is it is potentially malicious |
yes it would track with possibly wrong data...
+1 - this change would make sense and help users spot an issue when they don't see data anymore Notes:
|
I am using the PiwikTracker class und submitting log entries in bulk to Piwik through a cron job. I noticed that since a Piwik upgrade in December (), setting the user IP does not work anymore. I am using code in the following fashion (simplified):
Instead of the IP I am setting explicitely with setIP, my server IP address is used. I checked PiwikTracker.php and did not find anything wrong there, PiwikTracker.php creates the following API url:
https://myserverdomain.com/piwik/piwik.php?idsite=1&rec=1&apiv=1&r=232237&cip=178.197.230.13&cdt=2015-02-13+22%3A24%3A58&_idts=1423868304&_idvc=0&res=360x559&cookie=1&cvar=%7B%223%22%3A%5B%22_pks%22%2C106460%5D%2C%224%22%3A%5B%22_pkn%22%2C%22Hei+Poa+Soin+Trad+Monoi+Roucou+Effet+Cuivre+100+Ml%22%5D%2C%225%22%3A%5B%22_pkc%22%2C%22%22%5D%7D>_ms=31&cid=1285616f562e29e1&url=https%3A%2F%2Fwww.myshop.ch%2Fp106460%2Fhei-poa-soin-trad-monoi-roucou-effet-cuivre-100-ml&urlref=https%3A%2F%2Fwww.google.ch
The IP address is contained as it should be, yet the Piwik API seems not to use it.
I am using the newest Piwik version (2.10.0), the error already occured in 2.9.1. and maybe further back.
The text was updated successfully, but these errors were encountered: