If I send a request like this via Measurement Protocol:
v=1&tid=UA-123456-2&cid=455646456.4646456456&uid=123
What will happen? Given that UID hasn't been set on the site before.
Will this request associate the provided client ID with user ID 123?
Or can I only provide a UID that has already been set on the website like this:
ga('set', 'userId', USER_ID);
The javascript tracker is build on top of the measurement protocol and basically all a "set" call does is to add a parameter to the eventual tracking url; it does not perform any special magic that enables user id tracking.
The tracking works the same way if you create the tracking url via some other way, you can use anything that's in the parameter reference.
Given that UID hasn't been set on the site before.
Will this request associate the provided client ID with user ID 123?
That depends on whether or not you've enabled session unification.
Related
I am currently building one web application, and I consider to use Firebase auth and its database. My concern is that if user id is on browser, does it make any security issue?
For example, say that my user id is 12345, and I would like to show some information about user 12345 on a certain page. In order to move to the certain page that I can see user's information, I click some element (like a button), and go to the page. (Ex: https://localhost:9876 => https://localhost:9876/12345) In this case, the user id is visible, but I am not sure if this is reliable approach.
Thanks.
EDIT: I just noticed that security rules should be used thanks to Eric's comment. However, I am not 100% sure if the rule can be used for auth object too. For example, auth object is used to get user id, but using user id, is it possible for someone to obtain the user's email address which is stored in auth object? For instance, in the above example, someone might obtain user 12345's email address using user id, 12345.
The correct way to secure user related resources is via a Firebase ID token. Database/Storage rules already rely on this mechanism. You cannot just rely on the correct user ID being provided. That provides no security. Instead, before return restricted resources, you should check verify the ID token and trust only its content which includes the UID. FYI: the Firebase Admin SDKs already provide an API to verify an ID token.
Typically the way to pass the ID token (if you are not using real-time database), is as follows:
Single page app: you can call getIdToken() and then pass the latest ID token in the URL query parameter, post body or the header as you send an XHR request to your server.
Traditional website: you have to set a session cookie. The easiest way is to set the ID token as session cookie and keep updating it on expiration. On your backend, you will verify this before returning the user specific resource.
My website sends usual Page views and events to GA using JavaScript API.
Days after user session, I need to send more data from server using Measurement Protocol.
After sending the nonInteractive hit with updated custom dimensions, I see that user's device category changed from the original device category (Desktop/Mobile/Tablet) to Desktop device category.
I understand that GA recognize server's User-Agent as Desktop device.
Is any way to make GA ignore server's User-Agent?
You can override the user agent by collecting the users user agent at the time which you are collecting their client id, and sending this user agent along with the measurement protocol hit with the key ua=.
For example:
v=1 // Version.
&tid=UA-XXXXX-Y // Tracking ID / Property ID.
&cid=555 // Anonymous Client ID.
&t=pageview // Pageview hit type.
&uip=1.2.3.4 // IP address override.
&ua=Opera/9.80 // User agent override.
For an overview see:
https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters#ua
For specific reference see:
https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters#ua
I use different ways to send events to Google Analytics on my website. Some user interface interations sends using ga.js but some user actions (eq.: succesful auth or transaction) is possible to send only from server-side (PHP) using measurment protocol.
Events are both successfully sent and come to GA, but there's no link between JS and PHP events. For example, user entered website, clicked some buttons (stats sent by JS) and made a transaction (stats sent by PHP). After that i see JS events linked to one session but PHP event isn't linked. It just displayed as separate event.
What information should i store and pass to measurment protocol to have that events linked?
You need to send the client id (as set in the ga cookie, because this is the key GA uses to group visits into sessions) and possibly the user ip override and user agent override.
I have a little web browser in my application that hits a webpage using Google analytics. That little web browser has cookies and local disk storage disabled.
Are my user analytics going to be skewed because of this? Is every user reported as a new user when in actuality they are an existing one?
Yes, your Analytics data is going to be impacted. For example, you will not be able to differentiate hits between Sessions and Returning Visitors. As you say, each Visitor will be reported as a new one.
Analytics uses the Client ID parameter to uniquely identify a Visitor. As the official Field Reference states:
Client ID
Required for all hit types.
Anonymously identifies a browser instance. By default, this value is
stored as part of the first-party analytics tracking cookie with a
two-year expiration.
If your application can generate a unique key for each user and persist it elsewhere that in cookies or localStorate, you could still create your own Client ID:
Disabling Cookies
By default, analytics.js uses a single cookie to persist a unique
client identifier across pages. In some cases you might want to use
your own storage mechanism and send data directly to Google Analytics
without the use of cookies.
You can disable analytics.js from setting cookies using the following:
ga('create', 'UA-XXXX-Y', {
'storage': 'none',
'clientId': '35009a79-1a05-49d7-b876-2b884d0f825b'
});
When you disable cookie storage, you will have to supply your own
clientId parameter except for the special case where you are using
cross-domain linking parameters.
Yes. Google Analytics uses the client ID to determine if a user is new or returning.
Note, if your users are logged in (probably not though without cookies), then you can use the user ID feature to determine new from returning users.
according to this article, auth variable in Rules only gets uid and provider properties, while the client side authData gets password.email.
What if I want to write the rules base on the domain name in the email address? I would very much like to have password.email on the server side as well.
Or is there another way?
Update (from comments)
Please consider the following code written by somebody who wants to gain access to any data that belongs to 'hotmail.com':
Create account fbase.createUser({ email : 'john#example.com', password : 'qwerty' });
Then he logs in and stores in Firebase '/users/'+authData.uid+'/domain' value 'hotmail.com'
Does that not give him access to 'hotmail.com' data even if his email in at example.com domain?