Moving anon user tracking from image element to form submit

[iambibhas]

Anytime the site is loaded and there is -

• a scroll event
• a mouse pointer move event

the anon user session is set using a form submit.

Fixes #409.

[jace]

This should be in layout.html.jinja2 only. We have a problem if we’re copy pasting an entire block between templates.

[iambibhas]

i went through the templates, and they need some reorganization. Some blocks have been redefined in several places. I can fix them, but seems a little off topic for this PR. Maybe a separate PR for it?

[jace]

This will change with @vidya-ram's PWA PR (#425). We should revisit this PR once that is merged.

[iambibhas]

@jace alright.

[jace]

“Sniff” is the wrong term for this. We’re looking for an interactive session.

[jace]

Spelling.

[jace]

This will now be /api/1/anonsession. This should also move into an views/api.py.

[jace]

2 and 3 seem to be reversed. Also, you don’t need a test token in session['au'] anymore. A valid form CSRF token is enough. Our entire test token mechanism can be removed.

[jace]

Don’t reply with text. Return {'status': 'ok'} and wrap the view with render_with(json=True).

[jace]

Ugh, what is this? We should be doing automatic database commits if there’s a dirty session and no exception was raised. Better than such hacky flags.

[jace]

This is no longer needed since we’ll use the CSRF token cookie now.

[jace]

When does g.esession not exist?

[iambibhas]

@jace should these static files be in tablayout template? Shouldn't they be in individual templates that inherit them and needs c3/d3?

[jace]

We now use C3 enough that it should be in the top level requirements, and all these direct references should be removed.

[jace]

A few notes. Will need another review after the other PRs are merged.

[jace]

This will change with @vidya-ram's PWA PR (#425). We should revisit this PR once that is merged.

[jace]

We now use C3 enough that it should be in the top level requirements, and all these direct references should be removed.

[jace]

Are we using session['au'] for two different sorts of content? That doesn't seem clean.

[iambibhas]

I'm using session['au'] only to store anon user ID now. if it exists in cookie, it'll contain the anon user id.

[jace]

This line can go. It's not needed anymore.

[iambibhas]

@jace there is a view_application_email_gif endpoint where it's being used

hasjob/hasjob/views/listing.py

Line 397 in 41450f7

return gif1x1, 200, {

[jace]

Can this be moved into app.js? It adds bulk to every page otherwise (to pages served to bots).

[iambibhas]

But if we move it to app.js then it'll load with all page load regardless of bots or humans? Also, will have to hardcode the api endpoint.

[jace]

It will load only once because app.js is cached.

[jace]

Sends, not returns.

[jace]

"sent us", not "sent us back"

[jace]

if not g.user and not g.anon_user and csrf_form.validate_on_submit():

[jace]

What does this do? session['au'] contains a brand new id. How is it a cache reference?

[jace]

Keep the comments.

[jace]

Under if g.user: add g.anon_user = None, and then an else clause before the following line. You don't want to have both g.user and g.anon_user

[jace]

Move this to a function that is called both here and in the the anonsession endpoint after setting g.anon_user. Comment needs to change as well.

[jace]

Cache has to be saved before we have an anonymous user. It's not relevant after.

[jace]

@iambibhas Here is how this is supposed to work.

First, we recognise three states for a user's identity:

1. Unknown: We know nothing about this client. It's new, and it could be a bot or a user, but we don't know yet.
2. Anon User: The client is behaving like a user using a browser, so we believe this is a human.
3. User: The user has explicitly logged in.

When the user transitions from stage 2 to stage 3, we want to preserve their browsing history. This is why we do g.anon_user.user = g.user following which we set g.anon_user = None. The session is retained on the anon user account, because the browsing activity was anonymous, but we link the anon user account to the regular user account for future use (it's meant for keeping track of A/B test behaviour: if they were shown A or B before they logged in, we need to remember which one they were shown even after they logged in).

The transition from stage 1 to 2 is trickier. At stage 1, it could be a scraping bot causing a lot of traffic. We don't want to track session history for that, but we also don't want to lose the history of a client that turns out to be an anon user. Therefore:

1. Assign a probe cookie session['au'] = uuid4() to every incoming request.
2. Create a non-persistent EventSession and give it the same user id. Save it to Redis cache with a 5 minute timeout.
3. When the anonsession API endpoint is called (previously, the sniffle endpoint), create an AnonUser account with the same userid, retrieve the session from cache, and now save it to the database.

A bot will also create a Redis EventSession entry, but it will be auto-discarded in five minutes.

[jace]

This needs to be jsonified.

[jace]

Typo. impression or impressions?

[jace]

Use the main save_impressions function.

[jace]

You don't need this function. Call save_impressions or save_impressions.delay directly from wherever you need it.

[jace]

session.pop('au') since it's guaranteed present. If it's not, that's definitely an error worth raising for us to investigate.

[jace]

Use regular save_impressions.

[jace]

I'd move this into a generic function in Coaster so that this call can be commit_if_necessary(db.session)

[jace]

Or we could just do db.session.commit() without an if condition. What is the impact of committing an empty transaction?

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}