We have moved our site domain from oldsite.od.ua to newsite.ua (not between subdomains and principal .tld).
Google Analytics continues to collect the same GA property and views, but all GA Client IDs changed. I know about cross-domain tracking, but in my case users don't visit the old domain to go to the new one.
Is there a way to transfer old IDs to the new domain?
We don't use the User ID because we don't have any authorization on our site.
That should be possible, while a little tricky.
You need to read the user _ga cookie that exists on the old site and set it for the same browser on the new site
This is only possible through a special redirect, here is a sample flow:
Accessing to newsite.ua would include in the source of every page of the news site a reference to a resource like an image on https://oldsite.od.ua/special/ga.png
That call is a pretext to allow reading the _ga cookie value on https://oldsite.od.ua/ for that browser through HTTP Request Headers
probably something like GA1.3.1218996493.1586263874
The request to ga.png would be handled by a PHP script for example, able to process HTTP Header values and it would do a 302 redirect to
https://newsite.ua/special/ga.png?ccvalue=GA1.3.1218996493.1586263874
This allows to pass the value of the former GA cookie to the new site context. You will be able to access the "_ga" cookie value in PHP with something like
$_COOKIE["_ga"]
The HTTP Response to the call to https://newsite.ua/special/ga.png?ccvalue=GA1.3.1218996493.1586263874 would have an HTTP header like this
Set-Cookie: _ga=GA1.2.1218996493.1586263874; Expires=<date in 13 months>
Thus passing through the value of the parameter as a cookie value. But only if the HTTP request to https://newsite.ua/ doesn't already holds a _ga in the Request Header (that would mean that the browser has already been migrated)
(You'll need to adjust the code to make sure it doesn't go into an infinite loop for example...)
Note that the ".3." at the beginning of the initial cookie value needs to be replaced by ".2." to match the _ga cookie generation rule on the new domain (it is based on the number of dots in the domain name, and allows GA to select the appropriate cookie between a domain and a subdomain) because in your case you move between different domain patterns
This applies to the analytics.js version
The GA debug extension will help you verify that it's taken into account
You should also consider handling user consent regarding tags and so in that migration..
Related
I'm trying to set up hortonworks schema-registry with openresty.
we have google oauth enabled for our schema-registry ui. The google oauth passes a cookie called "_token" to /ui and all other subsequent paths except /api
This is because we may want to hit /api directly as well. (without google authentication).
The problem is since /api is exluded from the list, I'm unable to pass the cookie "_token" to any of the requests under /api
In my access_by_lua , there is a condition where I check for the cookie,
if the cookie is present - the user is authenticated and then he can move ahead
if not - we do some other checks to validate the request, and pass it ahead accordingly or return an error statement
My question is, if I want to pass the cookie from /ui to /api, how do I go ahead with it?
Also , the cookie should be set only for that particular user so that my other apps can communicate quickly.
What I've tried till now:
I tried setting a global cookie _token after reading it from the /ui path.
This doesnt seem to work since it sets the cookie for all requests (even the ones coming from apps) and the value of the cookie is static based on the first _token it receives from /ui
There are following column names under "User-defined cookies":
1. Name
2. Value
3. Domain
4. Path
5. Secure
What I should enter in all above mentioned fields and how it is useful?
HTTP Cookie Manager is smart enough to automatically take care about cookies. Being added and enabled it fetches cookies from Set-Cookie response header and adds them to the next request enabling client-side state management, cookie based authentication, etc. Moreover, it provides access to cookies via JMeter Variables assuming CookieManager.save.cookies=true property is set in user.properties file (lives under /bin folder of your JMeter installation).
In regards to fields like Name, Value, Domain, etc. - this way you can define your own custom cookies or override existing cookies if i.e. you need to hard-wire a request to this or that node behind the load balancer, simulate activity of certain user, whatever.
See Using the HTTP Cookie Manager guide for more details on this useful test element.
I would like to load cookies everytime and everywhere in my website because when my RoR application receives and accepts an "external" HTTP request (ex: REST API), cookies are not loaded (see RFC2109). So their values are inaccessible.
Cookies are accessible only when the HTTP request is made "internally" in my application.
new_cookies = {"Cookie" => "mycookie=1234;myothercookie=4567"}
Net::HTTP.get( URI.parse( http: //app1.website.com/users ), new_cookies)
All browsers will automatically send any cookies you set from your domain, you can check them simply by calling request.cookies from any controller method. It doesn't matter if the request was initiated from within your application (such as a 302 redirect) or not.
I just tried this with Firecookie:
Created a cookie "mycoolcookie" for the domain ".stackoverflow.com"
Went to stackoverflow.com, firebug showed that the cookie was sent in the request header.
Went to meta.stackoverflow.com, firebug showed that the cookie was sent in the request header.
Went to chat.stackoverflow.com, firebug showed that the cookie was sent in the request header.
A cookie is sent automatically by the browser, the server can never request for a cookie to be sent to it.
REST APIs are generally stateless, therefore you should avoid the use of server-side sessions or client-side cookies. If you want to indicate that a user only grabs resources belonging to them, use the Rails nested resources approach, that results in a call like:
http://abc.com/user/user001/books
For all books that belong to user001.
If you are looking to implement security, first you have to use HTTPS instead of HTTP. For the actual implementation you can use Basic Authentication and set the username/password in the request header or you can use something like OAuth which sets up a token for the user that they pass in with each request.
While I realise that this is usually related to cross site scripting attacks, what I'm wondering is how can a session remain valid throughout multiple subdomains belonging to a single domain (example: a user logging in only once, and being able to access both subdomain1.domain.com and subdomain2.domain.com with the same session). I guess I first need to understand how it works, but so far I haven't been able to find much that would be of any relevance.
But then again, maybe I wasn't asking the right question.
Thanks in advance :)
Inproc sessions cannot remain valid, however you can code your web application to allow cookies across multiple subdomains. You will need to set the domain equal to:
Response.Cookies("CookieName").Domain = ".mydomain.com"
Remember the period.
There are quite a few ways to share session data or cookie data across domains. The simplest is to share it on the server side through a shared data store. But you would not be asking this question if it were that easy.
The other way to do this is equally simple. The domain one.com contains some session data say name=aleem and id=123 and wishes to pass this along to two.com. It will follow these steps:
Make a call to two.com/api/?name=aleem&id=123
When two.com gets the data via query parameters, it creates a cookie with the data. This cookie will be stored under the two.com domain.
two.com will then redirect back to the REFERER which in this case happens to be one.com
This is a simplified scenario. The domain two.com needs to be able to trust one.com and not only that but it needs to know that the request is authentic and not just crafted by the user so you need to use public/private keys to mitigate this.
By default, all cookies for a site are stored together on the client, and all cookies are sent to the server with any request to that site. In other words, every page in a site gets all of the cookies for that site. However, you can set the scope of cookies in two ways:
Limit the scope of cookies to a folder on the server, which allows you to limit cookies to an application on the site.
Set scope to a domain, which allows you to specify which subdomains in a domain can access a cookie.
You can learn more here.
The comments about the cookie being set for the domain to allow subdomains to receive that cookie give you that side but what's missing is the consistency of session.
I think this is very much like the problem of maintaining state across servers in a farm and the solution is probably to ensure that your session store is consistent across both sites (if they are not server from the same 'web site' in IIS). You can move the Session store into SQL Server (HOW TO: Configure SQL Server to Store ASP.NET Session State) which would probably serve the purpose as each site would query the same store when looking for the session data related to the cookie they've been presented with.
I hope that gets you on the right track.
If you have the ability to set up a common subdomain, you can do this:
In your subdomain html files, include a javascript file at the top like this:
<script src="http: //common.domain.com/check.asp"></script>
In check.asp, look for your logged_in cookie and if not present, show a page say, http://common.domain.com/login.asp using something like
<%
if (cookie_not_found){
%>
location.href = "http: //common.domain.com/login.asp";
<%
}
%>
Once a person submits username password, submit it back to the same login.asp and set the session cookie, (which will be set in common.domain.com domain) and then redirect to http://subdomain1.domain.com.
What will happen now is, a call will be made to the embedded "common.domain.com/check.asp", and cookies for common.domain.com will be sent by the browser along with the request. So you will know whether your session is valid or not, even when you are in subdomain1.domain.com.
You can set a cookie for a specific domain.
In php, the setCookie() method contains a parameter in which you can specify the top-level domain, so the cookie is valid for all subdomains. Based on your tags, I see you are working in asp.net. Probably this also exists for asp...
after a little search for asp:
try this:
Response.Cookies("CookieName").Domain = ".mydomain.com"
or read this
Here is a solution which works:
http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/
I need to ensure that my webpage is always within an iframe owned by a 3rd party. This third party refers to our landing page using src="../index.php".
Now my question is, if I make use of referrer to ensure that the page was requested by either myself or from the third party and if not force a reload of the 3rd party site, are there any big gotchas I should be aware of?
For example, are there certain common browsers that don't follow the referrer rules?
Thank you.
Also, it's REFERER because it somehow got misspelled in the spec. That was my very first REFERER gotcha.
You can't use referrer to "ensure" that the webpage is always being called from somewhere else because of referrer spoofing.
Referrers are not required. If a browser doesn't supply it then you'll get yourself into an endless redirect loop. Referrer is effectively "voluntary" just like cookies, java, and javascript.
Although. You could keep a log of IP & time last redirected. Prune the logs for anything over 5 minutes old and never redirect more than once per 5 minutes. You should catch 99.9% of users out there but avoid an infinite redirect loop for the rest. The log cannot rely on anything in the browser (that's the original problem) so no cookie and no session. A simple 2-column database table should suffice.
The only way you could do this is to directly authorize the request because of referrer manipulation..
You could restrict requests to a set of IP addresses, if you want to be lax, or require that the including client/system has an authentication cookie for requests shown in the iframe.
Good Luck
Even well-known formats may change...
Google apparently has changed its referrer URL. April 14, 2009, An upcoming change to Google.com search referrals; Google Analytics unaffected:
Starting this week, you may start seeing a new referring URL format for visitors coming from Google search result pages. Up to now, the usual referrer for clicks on search results for the term "flowers", for example, would be something like this:
http://www.google.com/search?hl=en&q=flowers&btnG=Google+Search
Now you will start seeing some referrer strings that look like this:
http://www.google.com/url?
sa=t&source=web&ct=res&cd=7
&url=http%3A%2F%2Fwww.example.com%2Fmypage.htm
&ei=0SjdSa-1N5O8M_qW8dQN&rct=j
&q=flowers
&usg=AFQjCNHJXSUh7Vw7oubPaO3tZOzz-F-u_w
&sig2=X8uCFh6IoPtnwmvGMULQfw
(See also Google is changing its referrer URLs from /search into /url. Any known issues?)
Be aware that Internet Explorer (all versions) specifically OMITS the HTTP REFERRER whenever a user navigates to a link as a result of JavaScript. (bug report)
e.g.
function doSomething(url){
//save some data to the session
//...
location.href = url;//IE will NOT pass the HTTP REFERRER on this link
}