@dev-101 opened this Issue on January 24th 2018

Piwik 3.2.1, Matomo 3.3.0

Thanks to a small custom plugin I use and the fact it got broken out of the blue, during tedious debugging session (as there was nothing in the logs!) I've noticed that my account is recognized as 'anonymous' instead of super admin. Then... I saw this in the logs as soon as I was logged-in:

error_log(serialize(Piwik::getCurrentUserLogin()));
// first my ip line
[Wed Jan 24 20:47:40.580978 2018] [:error] [pid 6796] [client my--ip--here--:24929] s:9:"anonymous";

// then this line -- strange?
[Wed Jan 24 20:47:41.609620 2018] [:error] [pid 6599] [client *.12.78.130:60558] s:18:"super user was set";

// then immediately mine IP again afterwards, but still as anonymous ???
[Wed Jan 24 20:47:43.672229 2018] [:error] [pid 6749] [client my--ip--here--:25027] s:9:"anonymous";

This IP 62.12.78.130 is NOT MINE!

All IP variants (so far): (edit/update: IPs are anonymised by me)

.12.78.130
.185.183.24
.68.101.168
.208.213.133

What is going on? Any ideas? Why am I recognized as anonymous after login? On 3 different servers, 3 different PHP/Server versions, mixed Piwik 3.2.1 / 3.3.0 (upgrade didn't resolve the issue).

Thanks

@dev-101 commented on January 24th 2018

Piwik's integrity checks show everything is fine (except one function I've disabled on purpose, nothing strange is there).

@dev-101 commented on January 24th 2018

Is Piwik 'phoning home' whenever we login?
Is something broken in your API during this brand/name change?
As otherwise I cannot explain how this can happen on 3 different, separate and unrelated systems.

Update: there are definitely strange GET requests from those IPs above in my logs... I doubt this is Piwik/Matomo API related, for example:

*.208.213.133 - - [24/Jan/2018:21:11:57] "GET /piwik/piwik.php?ping=1&idsite=1&rec=1&r=645549&h=12&m=10&s=17&url=**%2F&urlref=https%3A%2F%2Fwww.google.co.ve%2F&_id=e5da08d1317195b6&_idts=1516810045&_idvc=1&_idn=0&_refts=1516810045&_viewts=1516810045&_ref=https%3A%2F%2Fwww.google.co.ve%2F&send_image=1&pdf=0&qt=0&realp=0&wma=0&dir=0&fla=1&java=0&gears=0&ag=0&cookie=1&res=1440x900&gt_ms=203&pv_id=wx2DSQ HTTP/1.1" 200 572

(note: **** url removed by me, IP anonymised by me)

@sgiehl commented on January 24th 2018 Member

@dev-101 The URL you posted is a "normal" tracking request.
What type of archiving are you using? triggered by cron job or browser archiving?
If you are using browser archiving every tracking request might trigger an archiving process. As archiving needs to be done with "super user" access, the access is changed to super user for it and the user name is being set to "super user was set"

@dev-101 commented on January 24th 2018

Hi Stefan, I don't use cron, so that explains this - thanks. However, why is Piwik not returning my username; instead it always returns 'anonymous'? It started happening since 2 days ago out of the blue. I haven't done any changes, file integrity is ok, so nothing suspicious. Yet, this line required by my plugin no longer works properly. Why?

Piwik::getCurrentUserLogin()

@sgiehl commented on January 24th 2018 Member

That line should return the currently logged in user. At which position do you call the method?

@dev-101 commented on January 24th 2018

Here's the initial code (again, everything was working fine until recently, and nothing was changed in my systems that should affect this behavior):

namespace Piwik\Plugins\MyPlugin;
use Piwik\Piwik;

class MyPlugin extends \Piwik\Plugin
{
    public function registerEvents()
    {
        $login = Piwik::getCurrentUserLogin();
@tsteur commented on January 24th 2018 Owner

At the time you are logging this, the authentication has not been executed yet AFAIK (so it is all good)

@dev-101 commented on January 24th 2018

Hi, but it was working just fine - how can we explain that? And logging line was called after $login = Piwik::getCurrentUserLogin(); line. I am really puzzled by this now. What would be the proper way to check if user is logged in then every time Piwik is called?

Ok, I got confused for a moment, of course it is not, because the next line is this:

        $login = Piwik::getCurrentUserLogin();
        if ($login != 'anonymous') {
            return array(
                'Platform.initialized' => 'MyMethod'
            );
        }

Now, if I switch to Login.authenticate it works, but I need to execute it every time Piwik is called, not just at login. Again, it was working fine before.

@mattab commented on January 25th 2018 Owner

In your example above you typically want to move the "if" statement and this logic into your MyMethod. So you always define the events but inside the event observers you can skip doing something. (not sure if this would be enough to solve the issue)

@dev-101 commented on January 25th 2018

Thanks Mat, it fixed my issues completely. I am still not sure why this worked for months and then suddenly stopped, but sorry for the false alarm about security.

Regards

This Issue was closed on January 25th 2018
Powered by GitHub Issue Mirror