Hi all, for work I am thinking on implementing an access logging module, but before I would start head on I would like to ask your opinion on the subject. Drupal core provides a logging module (the access module), which effectively logs on hook_exit. The problem I have with this approach is that this a) as far I know will get ignored for aggressive caching, b) it gets triggered for page load from any source. I thought about using a JavaScript snippet placed into the page (maybe with token so it couldn't be misused, but then a cached page is not trivial) as most bots cant run the JS. Is there any way a callback like this could be validated for a cache stored page? What do you think of the approach? Would appreciate any feedback, Balazs
Quoting Balazs Dianiska <csillagasz@gmail.com>:
Hi all,
for work I am thinking on implementing an access logging module, but before I would start head on I would like to ask your opinion on the subject. Drupal core provides a logging module (the access module), which effectively logs on hook_exit. The problem I have with this approach is that this a) as far I know will get ignored for aggressive caching, b) it gets triggered for page load from any source.
I thought about using a JavaScript snippet placed into the page (maybe with token so it couldn't be misused, but then a cached page is not trivial) as most bots cant run the JS. Is there any way a callback like this could be validated for a cache stored page? What do you think of the approach?
Have you researched existing solutions? http://www.google.com/search?q=access+log+site%3Adrupal.org%2Fproject Are you looking for a method to log each form access? Create a module foo. <?php function foo_form_alter ($form_id, &$form) { global $user; watchdog ('form access', t('@uid accessed @form_id', array('@uid' => $user->uid, '#form_id' => $form_id))); } ?> Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Balazs Dianiska wrote:
I thought about using a JavaScript snippet placed into the page (maybe with token so it couldn't be misused, but then a cached page is not trivial) as most bots cant run the JS. Is there any way a callback like this could be validated for a cache stored page? What do you think of the approach?
I wouldn't worry too much about misuse, since people could just visit the page hundreds of times anyway to achieve the same result - just make a post request to a javascript menu callback, and log from there. -Charlie
I wouldn't worry too much about misuse, since people could just visit the page hundreds of times anyway to achieve the same result - just make a post request to a javascript menu callback, and log from there.
I was concerned about that one could fabricate a post call and do it programmaticaly. Having validation at least requires semi-real visits from a JS capable browser and some automatization, which hopefully is a little bit more difficult to do on large scale than the fabrication. However it just dawned on me that I could just check for a session in the callback code, which should prevent most fabrications to work. Earnie: yes I looked at other alternatives, but none of them seems to give me the simple output of the standard access module, just more accurately (-bots). Thanks for the feedback, Balazs
I disagree with the fact that you turn to JavaScript as an access logging solution. Access logging needs to log *everything*, but what if a user has JavaScript turned off, as many do? Oh well. They won't be logged. Why don't you use hook_boot, which is new in Drupal 6, and runs for *every* page, even ones that are cached aggressively. That way, you don't run into problems of generating tokens (which you would have to do per-page-load) and such. Dmitri On Fri, Aug 22, 2008 at 8:55 AM, Balazs Dianiska <csillagasz@gmail.com> wrote:
I wouldn't worry too much about misuse, since people could just visit the page hundreds of times anyway to achieve the same result - just make a post request to a javascript menu callback, and log from there.
I was concerned about that one could fabricate a post call and do it programmaticaly. Having validation at least requires semi-real visits from a JS capable browser and some automatization, which hopefully is a little bit more difficult to do on large scale than the fabrication.
However it just dawned on me that I could just check for a session in the callback code, which should prevent most fabrications to work.
Earnie: yes I looked at other alternatives, but none of them seems to give me the simple output of the standard access module, just more accurately (-bots).
Thanks for the feedback, Balazs
Hi, if you do decide on client-side analytics you might look at piwik: http://piwik.org It loads via javascript or a <noscript> img tag. There's a drupal module that integrates with piwik (haven't used it myself): http://drupal.org/project/piwik --mark On Fri, Aug 22, 2008 at 9:46 AM, Dmitri G <dmitrig01@gmail.com> wrote:
I disagree with the fact that you turn to JavaScript as an access logging solution.
Access logging needs to log *everything*, but what if a user has JavaScript turned off, as many do? Oh well. They won't be logged.
Why don't you use hook_boot, which is new in Drupal 6, and runs for *every* page, even ones that are cached aggressively. That way, you don't run into problems of generating tokens (which you would have to do per-page-load) and such.
Dmitri
On Fri, Aug 22, 2008 at 8:55 AM, Balazs Dianiska <csillagasz@gmail.com> wrote:
I wouldn't worry too much about misuse, since people could just visit the page hundreds of times anyway to achieve the same result - just make a post request to a javascript menu callback, and log from there.
I was concerned about that one could fabricate a post call and do it programmaticaly. Having validation at least requires semi-real visits from a JS capable browser and some automatization, which hopefully is a little bit more difficult to do on large scale than the fabrication.
However it just dawned on me that I could just check for a session in the callback code, which should prevent most fabrications to work.
Earnie: yes I looked at other alternatives, but none of them seems to give me the simple output of the standard access module, just more accurately (-bots).
Thanks for the feedback, Balazs
participants (5)
-
Balazs Dianiska -
Charlie Gordon -
Dmitri G -
Earnie Boyd -
mark burdett