@olinox14 opened this Issue on December 2nd 2020

I use iframes to render some of the widgets in a website located on another server but on the same local network. Matomo's host and this website's are also subdomains of the same domain.

I added the iframes like suggested on the index.php?module=Widgetize&action=index page, with some little adjustments and using the token of a user who has the right to view the website:

<!-- Real time visits-->
<div class="widgetIframe" id="realTimeVisits"><iframe width="450" height="320" src="https://stats.mydomain.com/index.php?module=Widgetize&action=iframe&disableLink=1&widget=1&moduleToWidgetize=Live&actionToWidgetize=widget&idSite={matomoSiteId}&period=month&date=today&token_auth={matomoToken}" scrolling="yes" frameborder="0" marginheight="0" marginwidth="0"></iframe></div>

<!-- Last visits graph-->
<div class="widgetIframe" id="lastVisitsGraph"><iframe width="450" height="260" src="https://stats.mydomain.com/index.php?module=Widgetize&action=iframe&disableLink=1&widget=1&moduleToWidgetize=VisitsSummary&actionToWidgetize=getEvolutionGraph&idSite={matomoSiteId}&period=day&date=today&token_auth={matomoToken}" scrolling="yes" frameborder="0" marginheight="0" marginwidth="0"></iframe></div>

The widgets do appear as expected, however everytime the second iframe is rendered (getEvolutionGraph), a new entry is added to the matomo_brute_force_log table.

I also had this very same problem with the widget moduleToWidgetize=VisitsSummary&actionToWidgetize=get, but only when the parameters forceView=1&viewDataTable=VisitorLog where added to the url; if those parameters are removed, the problem disappear. Of course, removing these parameters do not resolve the getEvolutionGraph case...

Because of this problem, the user ip will be blocked for no reason if he visit the stats page more than the X times allowed by the brute force settings, making these widgets impossible to use in production.

@tsteur commented on December 2nd 2020 Member

Hi @olinox14 which version of Matomo are you using?

I just tried tried to reproduce this with Matomo 4 and it works there for me and doesn't log any brute force records. I think I remember there was some similar issue in some specific Matomo version but this might be fixed in a recent update.

@olinox14 commented on December 3rd 2020

Hi @tsteur
I'm using matomo 4.0 too, I attach a copy of the system check: matomo_syscheck.txt

I'm implementing a stats page in a Typo3 CMS backend module.

I tried to give the right to view the site to anonymous user, then by using an actual user and adding its token_auth to the iframes urls, same issue.

@sgiehl commented on December 3rd 2020 Member

I was able to reproduce that. The problem is that this widget tries to send API requests forcing a session usage, which fails widgetized. Will check if there is a easy solution

@tsteur commented on December 3rd 2020 Member

@sgiehl as mentioned in the PR it should fix it for widgets but we still need to check if it affects also embedding regular controller actions as some users seem to do that

@sgiehl commented on December 4th 2020 Member

I will check that now

@sgiehl commented on December 4th 2020 Member

@tsteur that is still a problem, and generates brute force entries. I'm not sure what the best solution would be.
Should we maybe revert the changes done for the widgets, but instead change the api authentication to first check if the token can be used without the session and only if that is not possible force a session usage.

Other possibility would be to change the widgetize check I've added and check if the token_auth is given in the url instead of checking for the Widgetize module.

@tsteur commented on December 6th 2020 Member

@sgiehl ideally we avoid this if any possible as it should be better to exactly check a value against a session vs token etc. I'd need to think a bit more but if really needed we could do it.

What about: If the actual URL includes token but no force_session_api then we don't set the force_session_api? If no token is included or force_session_api=1 in url then we do send force_session_api. Would that work?

This Issue was closed on December 7th 2020
Powered by GitHub Issue Mirror