This repository has been archived by the owner on Apr 3, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 121
Record user-agent and last-access-time on session tokens #983
Comments
We should get approval from legal before we start collecting this data; I think it's fair game because it's nothing we couldn't pull out of the server access logs anyway, but for some things it's better to ask permission than forgiveness... |
This was referenced Jul 17, 2015
@philbooth as a first step towards a lot of the work and the metrics we want to do this quarter, do you think you'll have bandwidth to collaborate on this for train-43? |
@rfk, yep. I started to look into this yesterday a bit actually, but didn't want to make any changes until you got the green light for us to collect the data. Are we good on that front now? |
This was referenced Jul 27, 2015
Closed
Merged
I've linked 4 PRs which are almost ready for review, pending some questions that I need answers to. |
This was referenced Aug 2, 2015
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We want to be able to surface a "control dashboard" where the user can see what's connected to her account and control/revoke things as necessary. The lowest-hanging fruit for such a dashboard would be to see where all the active session tokens are from, and how recently they were used.
This information would be exposed via oauth-authenticated APIs like #950, but before we even get that far we will have to start recording it.
It will also provide the basic data for many of the connected-experience metrics dashboards in mozilla/fxa#21
Proposal:
Doing (3) will create a large increase in the write volumne on the auth db, but I think it's important data to be able to surface to the user. We may be able to mitigate the load with some clever batch background updates if necessary, since we can trade off reliability for performance with this data.
(Also note that this is parallel to any work on a "device list" service. When devices API comes online we can incorporate an additional "device id" field in the sessionToken metadata, but it's impotant to be able to track sessions from the web as well as sessions from devices).
The text was updated successfully, but these errors were encountered: