add pseudo session info for anonymous client tracking

Question

add pseudo session info for anonymous client tracking

Closed this issue 7 years ago · 4 comments

Some kind of tracking cookie that will act similar to a session cookie without granting any privileges so that it could be included in the web service audit log for event correlation.

Add tracking cookie awareness to the webcookie provider
Add tracking field to the Context object
Add tracking field to the /authn/session response object
Add tracking field to the webauthn service's own syslog output
Relay cookies via mod_webauthn internal server request

Answer 1 · 2017-04-21T02:14:29.000Z

After several laps around the track, I think we've decided what we really want! It's not a session ID but user tracking.

We can configure apache httpd's mod_usertracking module as follows:

<IfModule mod_usertrack.c>

  <If  "req('DNT') -eq 0 || -z req('DNT')" >
    CookieName webauthn_track
    CookieExpires "1 year"
    CookieTracking on
  </If>

  <If "req('DNT') -eq 1">
    CookieTracking off
  </If>
  
</IfModule>

This will set a cookie with a unique ID for the first access to our server, unless the client has opted out with the DNT (do not track) standard.

In webauthn, we can just look for this cookie and add a new tracking field to the webauthn.Context object with the cookie value, or set this field to None if the client is not being tracked. We can do this whether or not the user is authenticated, and our services can log this tracking value.

The tracking field will be added to the JSON session representation which currently includes other Context fields like client, attributes, expires, and http_vary. This content will be bundled into the JSON session blob supplied by mod_webauthn and unpacked by the context_from_environment() helper.

But, mod_webauthn needs to be modified to include all client-supplied cookies in its internal GET /authn/session request in the server. Otherwise, the tracking cookie will be dropped and all of this work amounts to nothing.

In summary, webauthn can become aware of tracking cookies and expose them. But the site admin will have to deploy mod_usertracking to actually enable any such tracking on a particular host.

Answer 2 · 2017-07-31T07:53:28.000Z

BTW, the config entry described above didn't work for me -- I didn't get a cookie even when I turned DNT off in my browser. To get tracking to work on rbk-dev, I've temporarily created a file called /etc/httpd/conf.d/usertrack.conf that's basically:

<IfModule mod_usertrack.c>
    CookieName webauthn_track
    CookieExpires "1 year"
    CookieTracking on
</IfModule>

This means it's not honoring DNT. I haven't put this into the recipe or moved it onto staging or production.

I'm also less sure than I was before that we should be honoring DNT, since Chrome, at least, doesn't allow you to turn it off for specific sites.

However we decide to enable this, there should be a standard recipe for it.

Answer 3 · 2017-07-31T21:37:37.000Z

I did a similar test and see that Firefox is also sending DNT: 1 no matter what settings I attempt to adjust in the browser/privacy settings.

Answer 4 · 2017-07-31T21:58:35.000Z

I can confirm that I see the desired tracking cookie (for this issue) when I change the server to ignore the DNT header and enable tracking in spite of my browser.