How to track users across domains? - php

We got pitched this idea yesterday. A user visits our site and are marked. Then when they visit other sites like CNN they are targeted with adds for our site. So once they are exposed to us, they start to see us everywhere, creating the illusion we are bigger than we are.
The person pitching it said it was done by cookies. I was very skeptical since I don't believe there to be anyway to see what cookies a different domain has set. So I wanted to try an figure out how it was accomplished. The salesman called this technology pixel tracking.
I have never heard of pixel tracking but from my research I have found that it is placing a 1 pixel image that references a script on another domain with parameters to be executed. My first thought was, OK maybe its possible this way.. But I still don't know how?
Can anyone explain how they are able to mark you as visited our site, and then see this mark on another site? Is it from your IP?

Included at the bottom of the (CNN) website in this case is an img tag like:
<img src="http://www.webmarketingCompany.com/pixel.php?ID=623489593479">
When a user visits the (CNN) website, and the browser renders the page, it sends http requests for all the images as well, including a request to http://www.webmarketingCompany.com for the image pixel.php which includes the ID as a get parameter. pixel.php not only returns an image, typically a 1x1 transparent gif (so it isn't visible in the rendered page), but can do a whole host of additional processing using the ID value; and it also has access to any webmarketingCompany.com cookies, which are also sent with the http request.
Of course, CNN have to agree to include the img tag in their html. Typically it's used as a tracker by third party marketing companies working on behalf of CNN to identify who is visiting their site, what pages they're viewing, etc.
But because it's a PHP script, it can do a whole host of extras, such as setting further cookies. If webmarketingCompany.com also handle ad-serving on behalf of CNN, they can do some creative selection of the ads that they choose to serve.
Such cross-client "pollination" is frowned upon, certainly here in the UK.

What you are describing is pretty standard for all advertisement networks. The only difference here is that they will place that cookie on your site as well.
As long as the browser has "accept third party cookies" set to true, this will work as the salesman said. Most browsers has the setting set to true by default, the only exception I can think of is Safari.

Related

Check if first time viewing page

At the moment, I'm working on a website that could use some extra user usability, so I want to launch a couple of modal windows to aid users on their first time visiting of a couple pages.
I want to check if it is a users time time viewing a specific page. I've read about how you can run into problems when using cookies to do this. They can be deleted, the user can use a different PC or device, etc.
Also, I want to check for multiple pages if it's their first time viewing, not only directly after login.
I'm guessing a good idea for this would be to make a separate table with the pages in it that I need and setting a boolean for it if it is viewed or not.
Would this be the best way going about doing this?
There isn't a highly reliable way of doing that:
You can use cookies, but as you said, they are not reliable, a user can change PC, delete cookies, change browser, etc.
You can try using an IP address, but that's also not reliable. If a user switches address (which can today happen as you walk down the street with your mobile phone) he'll see the page over and over again. Moreover, if some other user happens to stumble upon the IP address the first user used, he won't see your tour/tutorial.
What I can suggest you is that you use cookies to detect if the user is new, but don't automatically throw the help modules on him, but prompt him using an non-obstructive toolbar at the top or bottom (never a popup window or lightbox).
That way, you get most of the users (because many people use the same browser and computer and rarely delete all their cookies), and even if a user has deleted his cookies/he still won't be disturbed that much.
There is no reliable approach if user is not registered and logged in with her/his username & password.
As mentioned before, there is no reliable way of detecting users ( and detecting if the user visits the site the first time), I also recomend Madara Uchiha's aproach, also you colud use html5 local storage in addition to cookies, both are not 100% reliable
u can however try user recognition without relying on cookies or html5 storage, but this is extremly complicated, u dont want to do this.
Just to satisfy your curiosity about how to do this, check this epic answer on a related question:
User recognition without cookies or local storage
I think, as I believe, there is no way with no solution. I think, a possible way consists of some parameters which first to be said and and finally by considering those, we can be able to talk about possibilities and impossibilities.
My parameters are in the below;
talk about features of a webpage as "User Detection" and detail them
think about reactions (I mean being fast to click on any elements of a page or not) on a webpage
inspect elements
URL injection
other reactions like click on some parts as spots placed on the page
stay on that page up to a time defined for being and checking authorizing
and so some solutions like the ones above.

Securely posting and then printing JavaScript tags

I am trying to develop a back-end Ad Checking application in PHP. We have lots of places where ads can be shown and almost all of them has its unique requirements (they are shown inside games, that is why everyone is different in size, weight, format, etc.). Since this can cause lots of confusions on campaigns targeting different games (with the agencies sending us ads with the wrong formats), we need to check every ad to make sure it works as expected.
The application works fine if our clients send us the Ad File to check. But most of the time they send Adserver tags, so they can keep track of the results, and those tags generally are javascript and iframe tags.
The problem is how to securelly allow the insertion of javascript and iframe code, and render that to the page on the postback page (for visual checking), on all browsers, without risking XSS problems?
At the moment, I've managed to post the code and print to the postback page on all browsers, but Chrome, because of the security measures. But since I'm gonna have to tackle that issue anyway, how can I make it work on all browsers and still be sure the application is safe?
Thanks.
Decio
If you include 3rd party javascript code, you are always risking XSS. Let's say, you're testing the code from ad provider:
<script src="http://some3rdPartySite.com/script.js"></script>
Script can be altered to be displayed and to cause different results on target domain and on all other pages. That is, you can see how it wants to be showed to you, but you can't be sure that it will be the same in some of your customer's games.
Ad provider can change the script on it's server at any moment, possibly after your tests.
If you do not trust your ad vendors, I suggest to let them choose image + URL or iframe URL + dimensions. You can do "bad stuff" with Iframe too (like frame-busting thus redirecting from your customer page), but you still must obey cross-domain policy. This is not the case if you let javascript code to be executed.
You could also provide your own analytics for ad vendors to fill their needs.
Anyway, for testing javascript results you could use Selenium drivers with any browser: http://seleniumhq.org/. It let's you to load any page, execute javascript code and get results. In this way you could load your javascript code, search DOM for nodes and check their dimensions etc.
Also, you can look at sahi: http://sahi.co.in/w/

Cross domain cookie tracking

The company I work for has four domains and I'm trying to set up the cookies, so one cookie can be generated and tracked across all the domains. From reading various posts on here I thought it was possible.
I've set up a sub domain on one site, to serve a cookie and 1*1 pixel image to all four sites.
But I can't get this working on the other sites.
If anyone can clarify that:
Its possible?
If I'm missing something obvious or a link to a good example?
I'm trying to do this server side with PHP.
Thanks
Are you having issues due to Internet Explorer and their Privacy stuff?
Session variables are lost if you use FRAMESET in Internet Explorer 6
Back in my former internet days, when IE6 first came out, we had to implement this because it broke some of our tracking. Its amazing that all you have to do is fake it, and everything works fine.
Your on the right track, we had a domain that hosted the tracking cgi that served the 1x1 transparent pixel and tracked what page a user was visiting. We then had a custom parser that would combine that data with Apache logs and dynamically created a graph of users traffic patterns through our website. This was using dot from the Graphviz package.
This kind of thing is pretty easy if you are just trying to do stats, but if you're actually trying to persist user data across domains you'll have to do something more complicated.
The best way to set a cross-domain cookie is to make sure all your sites are subdomains of one master domain, say initech.com. So one of your site, site1.initech.com, sets the cookie with a domain of ".initech.com" and it works fine.
It could be a problem if your sites are on totally different domains though.
Rather than try to set one cookie that each site can access, what you'll have to do is make sure that each site has its own exact duplicate of the original cookie. So, have your site, site1.com, set the cookie for itself and output three 1x1 gifs, or AJAX calls or whatever, to site2.com, site3.com and site4.com setting the same cookie to the same value.
This will be difficult to do securely and reliably ;)
To make sure somebody can't set arbitrary cookies on your domain, you'll habe to pass through a hash of the cookie value on the image tag. If the cookie to be set is "mycookieval", also pass through md5("mycookieval"."somesecretstring".$_SERVER['REMOTE_ADDR']). This is potentially bad because it might allow an attacker to set the same cookie to the same IP address, or possibly to brute-force the hash generation.
You could compensate for this by inserting a record into a backend database whenever you set the cookie, and having the other three sites check against it for validity.
This question's pretty cold, but in case anyone else stumbling on it, or the OP still has need, I've created an NPM module, which allows you to share locally-stored data across domains. It looks like this would exactly address the OP's need here, and it doesn't require all sites share a base domain.
https://www.npmjs.com/package/cookie-toss
By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.
Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.
With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.
The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.
Hope this helps!

how phpmyvisitors works?

i have installed "phpmyvisitors" cms to get statistics of my sites visits.
it is written in php and is open source.
i gets many useful information like:
-total visits
-viewed pages
-visitor browser informations
-visitor distribution over the world
-how visitors access to site
-how much time they spend on sites
and ....
it is some think like Google Analytics.but fewer features.
my question is:
" how does it do all of them? "
I assume you mean phpMyVisites?
At a quick glance, it works very similarly to Google Analytics: A JavaScript snippet is embedded that sends a request to the server phpMyVisites runs on. That request contains all information JavaScript can get out of the client: Language, Screen resolution, browser version, OS....
On server side, I assume all that information is collected into a database, and a session cookie is set so different visitors can be told apart.
For users without JavaScript, an image tag will be included to at least get some basic information (IP and browser type can be found out on server side without JavaScript) and count the hit:
<noscript>
<p>phpMyVisites : better than Google analytics!
<img src="http://www.phpmyvisites.us/phpmv2/phpmyvisites.php"
alt="phpMyVisites" style="border:0" />
</p>
</noscript>
To recognize the country of a visitor, it is possible that a web service is contacted that tries to determine the country based on the visitor's IP address.
Everything else is "just" database analysis really - analyzing, calculating and presenting the data requested. If you want to know how a specific aspect of that works, I suggest you ask a new question detailing the aspect you want to know more about.

PHP Multi site login

I am currently working on a project that spans accross multiple domains. What I want is for the user to be able to login on one site and be logged in on all the others at the same time.
The users session is stored in the database, the cookies that I set on each domain contain the session id.
So basically when a user logs in to example.com a cookie is created with their session id, the session data is stored in the database. Once this is done a cookie needs to be created on all the other domains with this unique session id so that as the user travels from site to site they will automatically be logged in.
Now I have found a way to do this in Firefox (using image tags that executes PHP scripts on the other domains, essentially creating the different cookies on the different domains) but this method doesn't work in IE (havn't tested Opera or Safari etc. yet).
Does anyone have any ideas about how I can get this to work in IE?
Have a look at my question Cross Domain User Tracking.
What you need to do is to add another HTTP header to the "image".
Quote from Session variables are lost if you use FRAMESET in Internet Explorer 6:
You can add a P3P compact policy
header to your child content, and you
can declare that no malicious actions
are performed with the data of the
user. If Internet Explorer detects a
satisfactory policy, then Internet
Explorer permits the cookie to be set.
A simple compact policy that fulfills
this criteria follows:
P3P: CP="CAO PSA OUR"
This code sample shows that your site
provides you access to your own
contact information (CAO), that any
analyzed data is only
"pseudo-analyzed", which means that
the data is connected to your online
persona and not to your physical
identity (PSA), and that your data is
not supplied to any outside agencies
for those agencies to use (OUR).
You can set this header if you use the
Response.AddHeader method in an ASP
page. In ASP.NET, you can use the
Response.AppendHeader method. You can
use the IIS Management Snap-In
(inetmgr) to add to a static file.
Follow these steps to add this header
to a static file:
Click Start, click Run, and then type inetmgr.
In the left navigation page, click the appropriate file or
directory in your Web site to which
you want to add the header,
right-click the file, and then click
Properties.
Click the HTTP Headers tab.
In the Custom HTTP Headers group box, click Add.
Type P3P for the header name, and then for the compact policy
string, type CP=..., where "..." is
the appropriate code for your compact
policy.
Not sure if it a good suggestion at this point in your development, but you should definitely look at Single Sign-on if you want to do it the "right" way.
Is it just me, or does it sound like your CSRFing yourself with your technique using images that works in Firefox?
Interesting approach, although I hope you're not opening yourself up to a security threat there.
I haven't done this myself, but I think you're going the right way. I would probably do the same, except instead of an image I would use a Javascript file. It would be generated on the serverer side and would update the cookies on the client side.
Possibly me being a bit silly, but could you not set the cookies for each domain name on login? So rather than them having one cookie when they login to Site A, they have five, or however many sites you have?
setcookie(A, $sessid, expire, path, domainA.com);
setcookie(B, $sessid, expire, path, domainB.com);
setcookie(C, $sessid, expire, path, domainC.com);
setcookie(D, $sessid, expire, path, domainD.com);

Categories