@joubertredrat opened this Issue on March 29th 2016 Contributor

Hi guys,

I'm PHP developer too and on my public url I like to protect url when have id as below.

https://my.domain/product/1/laptop-dell = open id
https://my.domain/product/514cdi42/laptop-dell = hash id

I think that is good idea to implement this on piwik as optional, if you enable hash public id, public ID will be hased, otherswide not, as below.

Open

<!-- Piwik -->
<script type="text/javascript">
  var _paq = _paq || [];
  _paq.push(["setDomains", ["*.my.domain"]]);
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//analytics.my.domain/";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', 1]);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
</script>
<noscript><p><img src="//analytics.my.domain/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->

<!-- Piwik Image Tracker-->
<img src="https://analytics.my.domain/piwik.php?idsite=1&rec=1" style="border:0" alt="" />
<!-- End Piwik -->

Hashed

<!-- Piwik -->
<script type="text/javascript">
  var _paq = _paq || [];
  _paq.push(["setDomains", ["*.my.domain"]]);
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//analytics.my.domain/";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', 'laHquq']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
</script>
<noscript><p><img src="//analytics.my.domain/piwik.php?idsite=laHquq" style="border:0;" alt="" /></p></noscript>
<!-- End Piwik Code -->

<!-- Piwik Image Tracker-->
<img src="https://analytics.my.domain/piwik.php?idsite=laHquq&rec=1" style="border:0" alt="" />
<!-- End Piwik -->

On my project I'm using hashids php library and I'm like this lib a lot because is possible to hash and unhash id without problems.

What you think guys, is a good security implementation to reduce attack attempts and improve more security? Let's discuss.

@tsteur commented on March 29th 2016 Owner

This could be developed in a new plugin I think if someone is keen to build it.

Basically the plugin would "only" need to listen to this event http://developer.piwik.org/api-reference/events#trackerrequestgetidsite like this:

function eventCallback(&$idSite, $params)
{
    $idSite = (int) unhashid...($params['idsite'])
}

Likely a little UI would be needed as well to show which hashId to use for which idSite.

For more information on how to create a plugin see http://developer.piwik.org/guides/getting-started-part-1 and for how to listen to events see http://developer.piwik.org/guides/events

@mattab commented on March 31st 2016 Owner

Closing this issue as it was also covered in: https://github.com/piwik/piwik/issues/4920

@joubertredrat commented on March 31st 2016 Contributor

Hi guys,

@mattab, I think that hash or obfuscate id is different to set custom id on site, is another scope. One is to protect url to injection and is default for all piwik instance, other is to manager customize your settings and you can be define what site you will define custom id.

It would even be possible to use both at the same time. If idSite is number and "hash" is activated, hash id, otherswide not.

I will try to create a plugin as @tsteur saw

@tsteur commented on March 31st 2016 Owner

This is indeed different to #4920

@joubertredrat that's awesome to hear. Let me know if you have any questions.

@joubertredrat commented on June 22nd 2016 Contributor

Hi guys,

Sorry for delay, lot of work here.

@tsteur, plugin It is almost ready, but I have questions about events.

~~I want to encode idsite to hash if plugin is active, configured and user get JavaScript or Image Tracking in trackingCodeGenerator action.
I want to decode hash to idsite before trackPageView action.~~

But I'm not use if I can to do this on Tracker.Request.getIdSite event here.

@joubertredrat commented on June 22nd 2016 Contributor

Hi guys,

I solved question about hash ID for tracking by javascript and image, but was necessary a PR on piwik core in https://github.com/piwik/piwik/pull/10247.

@joubertredrat commented on June 22nd 2016 Contributor

Hi guys,

Now I finished plugin and is ready for tests, source is in https://github.com/joubertredrat/Piwik-ProtectTrackID

Pre-requisites for test is use changes on PR https://github.com/piwik/piwik/pull/10247 or change manually setSiteId and add simple quotes on value.

@joubertredrat commented on June 30th 2016 Contributor

@tsteur @mattab now is done. Look if you like this for we close this issue.

https://plugins.piwik.org/ProtectTrackID

@tsteur commented on July 2nd 2016 Owner

Awesome work 👍 I'll close the issue

This Issue was closed on July 2nd 2016
Powered by GitHub Issue Mirror