We are integrating Matomo (formerly Piwik) to monitor our application visits.
We have a page for users to recover their password, the URL looks like :
https://example.com/pwdRecovery?token=ABCDEFGHIJKLMNOPQRST
Could you confirm that it is unsecure to log the URL containing the recovery token with Piwik ?
It is interesting to gets statistics on this page, that is why I do not want to remove my Matomo Tracking code here, how can I remove the confidential part of the URL in my Matomo's stats ?
Matomo (formerly Piwik) handles this for you, you just need to configure the parameters' name you want to exclude.
Login as the Super User, go to Administration > Manage Websites > Global list of Query URL parameters to exclude field.
Documented on their FAQ :
How do I exclude URL query parameters from the URLs tracked, and from Pages reports?
Related
I have setup a site but when i am opening this site i am getting this
type error, Authorization Required
You must first log in or register before accessing this page. If you
have forgotten your password, click Forgot Password to reset it.
click and check image
You need to make sure that the visualforce page which you created has access to Guest user profile. To navigate to Guest user, do as below:
Go to Setup -> Develop -> Sites -> Click Site name -> Public Access Settings
The sites under Digital Experiences / All sites are called Experience Cloud sites.
The sites under Sites and Domains > Sites are called Salesforce sites.
These are different categories of sites and they come with different behaviors.
Based on the screenshot you shared with me, (the url has force.com included), it looks like your site is in the second category, please be aware of that:
Users from the Salesforce sites can only see their own data. If your program is trying to access data recreated by other, you will get the Authorization Required error.
As a way to test this, try to comment out the SOQL statements, the error message may go away.
also check out the following link:
https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_user.htm&type=5&release=228
The Secure guest user record access setting was enabled in Summer ’20, but could still be disabled during that release. To safeguard your Salesforce org’s data, in Winter ’21, this setting is enabled in all orgs with communities or sites and can't be disabled. The Secure guest user record access setting enforces private org-wide defaults for guest users and requires that you use guest user sharing rules to open up record access. You also can't add guest users to groups or queues or grant guest users record access through manual sharing or Apex managed sharing.
I want to disable tracking traffic data for https://www.example.com/something?utm_source=something
How can I achieve this? I only found a way to exclude parameters, but this is not what I need. (https://piwik.org/faq/how-to/faq_81/)
For example when you have a website with a URL of “example.com”, by default Matomo (Piwik) will track all requests for this website, even those requests for Page URLs that do not belong to “example.com”. If you add the JavaScript tracking code on pages of “another-website.com”, these requests will be tracked in your website “example.com” in Matomo.
It is possible to configure your website in Matomo (Piwik) so that only requests to “example.com” will be tracked, and all other requests ignored. Go to Administration > Websites > click “Edit”. Below the “URLs” field for your website, there is a checkbox “Only track visits and actions when the action URL starts with one of the above URLs.”. If you click this checkbox, and click “Save”, Matomo will then only track requests where the domain and the path is an exact match of one of the URLs you specified for this website. This means each valid subdomain has to be specified separately. For example when the known URLs are ‘http://example.com/path’ and ‘http://good.example.com’, tracking requests for ‘http://example.com/otherpath’ and ‘http://bad.example.com’ are ignored.
from: https://matomo.org/faq/how-to/faq_21077/
I would like to keep the utm source data when a user visit my site via the url with utm source in order to see the efficiency of any source.
url example : http://www.mydomain.com/?utm_source=facebook&utm_medium=promoted&utm_campaign=welcome
I need to see the users who have been signed up from which source. The best is to keep the utm_source data in a column at users table in database.
I could not succeed to catch and insert the source data if the visitor signs up in that session. My site is php.
Any help will be appreciated.
You should look at the __utmz cookie (automatically created by the Google Analytics tracking code) for all the "utm" related information. In PHP it should be: $_COOKIE['__utmz'].
I am exposing a page with a standardcontroller="account" to a force.com site facing the public. This page displays account specific data to the clients. Now when a customer logs in to my website I want him to have access to his account's data and only his account data. Here is the problem; the url for a page with a standardcontroller has a Id field, such as "https//www.myforcesite.force.com/AccountViewPage?Id=a82347dod". If a user changes a few keys on the Id, it is very easy for him to access other people's account page and bypass the login process. How can I prevent that.
I opened a ticket with salesforce but they told me its working as intended. I don't think a vulnerability to a trivial brute force attack should be intended so I want to know if there are any fixes?
Create one StandardController extension and check if the logged user in your website has the permission to view that account.
http://www.salesforce.com/us/developer/docs/pages/Content/apex_pages_standardcontroller.htm
What you are looking for is URL rewriting for force.com site.
For example, let's say that you have a blog site. Without URL rewriting, a blog entry's URL might look like this: http://myblog.force.com/posts?id=003D000000Q0PcN
With URL rewriting, your users can access blog posts by date and
title, say, instead of by record ID. The URL for one of your New
Year's Eve posts might be:
http://myblog.force.com/posts/2009/12/31/auld-lang-syne
I am working on a chrome bookmarking extension with google app engine as the backend. I am the only user now but I thought that if in the future there are other users the url needs to include the user name for the extension to interact with the backend. So I was thinking to change
http://ting-1.appspot.com/useradminpage
to
http://ting-1.appspot.com/user_name/useradminpage
where "user_name" is the gmail user id.
But I looked at twitter url and I see that they have
http://twitter.com/#!/user_name/
What is the purpose of "#!"? Is my scheme good enough in this case?
The # in a URL signifies the 'fragment identifier'. Historically this has been used to identify a part of a document identified by an 'anchor' tag, but recently webapp developers have begun to use it to pass information about the page state to Javascript code running in the page. This is used because it's possible for Javascript code to modify the fragment of the current page without causing the page to reload - meaning it can update as you browse through the webapp, and go right back to where you were when you reload the page.
The fragment is not sent to the server when the browser loads a page, so Twitter's server just sees a request for twitter.com; it's up to the Javascript code in the page to examine the fragment and determine what to do after that.
In your particular case, assuming you're using the App Engine User service to authenticate users, you have a number of options for how to distinguish users in your URLs:
Use their email address. In theory this can change, and users may not want their address in a URL they will share. If the URLs are private, this is more or less a moot point.
Use their user_id. This is opaque and reveals no useful information about the user, so it's safe, but it's also meaningless and hard to remember.
Let users pick a nickname for their URLs, like Facebook and other services do, on a first-in, first-served basis.