Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anon user tracking #409

Open
jace opened this issue Nov 16, 2017 · 3 comments · May be fixed by #433
Open

Anon user tracking #409

jace opened this issue Nov 16, 2017 · 3 comments · May be fixed by #433

Comments

@jace
Copy link
Member

jace commented Nov 16, 2017
edited
Loading

Anon user tracking has been disabled for the past several months as it tested only for cookie acceptance, and was easily fooled by headless browsers that play back cookies.

A less easily fooled mechanism could:

  1. Like CRSF, submit the verification code in both the cookie and the form. An anon user is created only if both match.
  2. Remove this submission from the current embedded image tag, and make it an explicit call that is triggered by a browser scroll or mouse move event, or other such event that will not occur in a headless browser – and maybe after a reasonable waiting period, say 30 seconds, since headless browsers are likely to scrape data and move on.

These changes will prevent accidental creation of anonymous user accounts, but won't stop an intentional submission by a customised browser. A mechanism by which to do automatic recaptcha without the click is yet to be defined.
@jace
Copy link
Member Author

jace commented Nov 16, 2017
edited
Loading

Cloudflare has a form of this "automatic recaptcha" when it gates some users based on unusual access behaviour.

@jace jace closed this as completed Nov 16, 2017
@jace jace reopened this Nov 16, 2017
@jace jace mentioned this issue Nov 16, 2017
Closed
@iambibhas
Copy link
Contributor

@jace if we move the anon user detection to JS based events, wont that make browsers with JS disabled a trouble?

@jace
Copy link
Member Author

jace commented Apr 3, 2018

We don't support browsers without JS anyway. That era is over.

@iambibhas iambibhas linked a pull request Apr 3, 2018 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Moving anon user tracking from image element to form submit hasgeek/hasjob
2 participants
@jace @iambibhas