Piwik 1.8 TrackerApi (PiwikTracker.php) don't record the ClientIP correctly

towerlexa · June 2, 2012, 11:06am

I’ve implemented the PiwikTracker.php in my website and now the correct client IP wouldn’t be recorded (or shown) inside the Piwik Dashboard.


80.237.133.50 - - [02/Jun/2012:12:44:17 +0200] "GET /piwik.php?idsite=4&rec=1&apiv=1&r=614764&[b]cip=80.226.24.15[/b]&_id=671edb53f8b79890&res=1600x1400&url=http%3A%2F%2Freisen.blaufotograph.de%2F&urlref=http%3A%2F%2Freisen.blaufotograph.de%2Firland%2Firland_2008%2Firland.php&action_name=Title%3A+reisen.index HTTP/1.1" 200 43 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0"

Inside the Dashboard the request will be shown as following:


Sa 2 Jun - 12:28:21
IP: 80.237.133.50
Provider: Hosteurope 	  [Deutschland, Provider Hosteurope]   [Firefox 12.0 with plugins enabled]   [Linux, 1600x1400 (normal)]  
	
Direkte Zugriffe
	4 Aktionen - 15 Minuten 57s

    Title: reisen.irland_2008
    http://reisen.blaufotograph.de/irland/irland_2008/irland.php 3x
    Title: reisen.index
    http://reisen.blaufotograph.de/

Could you please give me a hint what i could do ? Do i have make some mistakes using the tracking api ?

I found a older thread, where the same issue was discussed, and someone wrote, that this should be fixed ??

matthieu · June 2, 2012, 9:54pm

using cip parameter to force the IP you also need to use token_auth to do the request authentication

towerlexa · June 3, 2012, 7:29pm

[quote=matt]
using cip parameter to force the IP you also need to use token_auth to do the request authentication[/quote]
Hi Matt, thank you for the hint. It works now.

I found this german thread, which explaines this too: 301 Moved Permanently

In the PiwikTracker.php i found, that setting using the setIP function is a security constraint.


public function setIp($ip)
    {
    	$this->ip = $ip;
    }
    
    /**
     * Forces the requests to be recorded for the specified Visitor ID
     * rather than using the heuristics based on IP and other attributes.
     * 
     * This is typically used with the Javascript getVisitorId() function.
     * 
     * Allowed only for Super User, must be used along with setTokenAuth().
	 * Set tracking_requests_require_authentication = 0 in config.ini.php [Tracker] section
	 * to change this security constraint.
     * @see setTokenAuth()
     * @param string $visitorId 16 hexadecimal characters visitor ID, eg. "33c31e01394bdc63"
     */

Could you give me hint, why this is a security constraint?? Or a link?

Additionally i’am not happy, while configuring a token with admin rights inside my php script. Is there any other way? It is possible to set the AuthToken for a user without admin rights ?

Thank you very much.

matthieu · June 3, 2012, 8:37pm

we removed this notice, and recommend to use token_auth and keep it secret

towerlexa · June 4, 2012, 9:39am

[quote=matt]
we removed this notice, and recommend to use token_auth and keep it secret[/quote]

Hi Matt, thanks again.

But i would like to ask once more.

Is it really necessary to have admin rights to use token_auth? Maybe it is also possible to have a special right for this??
Maybe you could create a role for this usecase? For example a role “token_auth_right”, or a special entry inside the config.ini.php, which user is allowed to do the token_auth for setting the client ip ? I’am not really happy to see, there is a user with admin rights, for only setting the client ip.

Maybe it is possible to think about this.

Thank you for your help.

Kind regards, towerlexa

matthieu · June 5, 2012, 12:47am

That’s a good point, we could create a new role for this, please create a ticket for the feature request