Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When max actions feature enabled and limit reached, delete the current visit #4

Open
tsteur opened this issue Dec 13, 2020 · 2 comments
Labels
enhancement New feature or request

Comments

@tsteur
Copy link
Member

tsteur commented Dec 13, 2020

Say someone configures max 100 actions per visit to be allowed, and the current visit reached > 100 actions, then we block this IP for future tracking requests for up to 24 hours.

We could also directly delete this visit (and potentially delete all visits from that IP from the same day). It be easy to develop but not doing it for now as you could misuse it potentially to delete visits if eg HTTP headers are used to detect IP etc. It may be fine though maybe when no proxy headers are used or so.

Depending how often this happens could also include a link in the email to the visitor profile or so and then user could decide to delete that visit once this feature is available. Requires manual work though.

@tsteur tsteur added the enhancement New feature or request label Dec 13, 2020
@AJHoeh
Copy link

AJHoeh commented Mar 2, 2021

We could also directly delete this visit

I think that is the most important part and would be a great enhancement, if unsure maybe implement as an optional setting :)

@tsteur
Copy link
Member Author

tsteur commented Mar 2, 2021

fyi I just realise it may be difficult to delete the visit automatically. Like what would potentially happen is:

  • visit reaches say 500 actions
  • usually we would simply stop tracking further actions but now we would (optionally) delete the visit completely from the DB
  • spammer sends another request
  • we would create a new visit and start tracking these actions again

To prevent this problem we could instead delete visits in a task say every X hours or once a day and only delete "finished visits" where the last action was more than 30 minutes ago (or whatever is configured as visit length for creating new visits). This way it be also generally better because it would mean we wouldn't need to invalidate existing reports every time a single visit is deleted.

Alternatively, we could of course do a soft delete but this would require a DB schema change on the log table which we do only for major release updates because they take so long. Yet another way be to put configId/visitorId temporarily on a "not allow" list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants