Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21972

ezrecommendation: make event tracking tamper-proof

    XMLWordPrintable

    Details

      Description

      On high-visibility websites, people might be motivated trying to cheat and push some items to the top of the list (most viewed, most clicked) so that they get recommended more and, in the end, sold more.

      The current ezrecommendation code does little to no validation of the user-id / session-id parameters used for tracking events, leaving the burden of filtering out cheaters to the reco engine itself.

      But this could be improved:

      1) the user-id parameter, used in http requests for tracking events, should be just removed. When a user is logged-in, the code (view) receiving the track-event request should use the currently-logged-in user-id. When user is not logged-in, the ezreco sid is enough

      2) for sites which use sessions even for anon users, the ezreco sid can be stored in user session, and checked against tampering when receiving a track-event request

      3) for real prevention of cheaters, a similar mechanism to ezformtoken could be implemented, where no "track" event is accepted if it is not accompanied by a suitable token which was displayed in the previous page shown to user

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            gaetano.giunta-obsolete@ez.no Gaetano Giunta (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: