Cloudflare Dashboard and Cloudflare Web Analytics show very different number of visits - cloudflare

I have a static website on Cloudflare Pages, for which Cloudflare Web Analytics is enabled.
This is the only thing I am hosting on Cloudflare, and I set it up less than 24 hours ago. On the Cloudflare Dashboard, I see 403.96k visitors in the last 7 days, whereas in Cloudflare Web Analytics it is 152.08k, a relative difference of 2.68. (In both cases, the number of page views is very close to the number of visits.) What could be the reason for this?

The Cloudflare Dashboard shows server-side analytics, meaning it will record every request to your domain (bots, utils, users, etc.)
On the free plan, their Web Analytics solution is client-side, and relies on Javascript to run and report data. This leaves is susceptible to being blocked by browser extensions. It will also not record all bot requests, particular if they are just requesting a specific page / resource, and not running in a browser.
More info - https://developers.cloudflare.com/analytics/faq/web-analytics#the-analytics-beacon-is-blocked-by-ad-blockers-including-adblockplus-brave-duckduckgo-extension-etc-why-is-that

Related

AWS Signed Cookies in an IFrame?

Is it possible to support cookies in an IFrame that won't be broken by some of the recent cookie security improvements? The IFrame is embedded on arbitrary domains that we don't control. Other than the initial request URI being passed, we don't care about any special message passing or cross domain access.
Context: an app I've inherited serves authenticated S3 content in an IFrame to users. The content is proxied by CloudFront, leaning on their Signed Cookies feature to authenticate the initial HTML page, as well as every other asset (CSS, JS, images, etc.) that might be on the page. The cookie is generated/set after a successful auth handshake.
Recently, the move towards blocking third party cookies has broken this model. Users need to downgrade their security settings, and this will flat out stop working soon.
Short of a larger architectural change, is there a way to configure the cookies or CF to work within an IFrame, embedded on domains we don't control? My assumption is that this model is fundamentally broken now, but I wanted to triple check before reaching for a larger architectural change.
Thanks

How to use squid access logs to find frequency of web requests

I am trying to build a model for how frequently users make web requests. I am interested in the timing between each new page they visit. I want to build a load simulator which then uses this model.
To do this I've been analyzing Squid access logs and looking at the timing between http requests by user IP. Squid captures all the requests associated with a web site request and I am only interested in the top level page requests. There are numerous starting pages for a request eg. not just *.html so it seems challenging to only capture the starting page for each session.
Is there a way to only capture the initial request for the top level page, like for when a user a page on Amazon, and then they jump to another page, etc.
You can use Squid Analysis Report Generator it will read log files and generate reports in HTML format with detailed information like access and denied website,daily and weekly report.

Prestashop Backend Logout after Cloudflare setup

I have setup cloudflare for my prestashop website. In backend each time i refresh a page it points me to backend login page, it logges me out.
In customer account this behavior does not happen. If i login as a customer it works fine.
I have created a rule in cloudflare settings with url pattern matching my backend: example.com/admin123/*. No results, same behavior.
Do you have something to restore the visitor IP?
Generally see this kind of behavior if you're restricting logins to particular IPs and/or the CMS relies on unique IPs to login.

removing cookies on another domain using mod-rewrite and apache

I have built a cookie consent module that is used on many sites, all using the same server architecture, on the same cluster. For the visitors of these sites it is possible to administer their cookie settings (eg. no advertising cookies, but allow analytics cookes) on a central domain that keeps track of the user preferences (and sites that are visited).
When they change their settings, all sites that the visitor has been to that are using my module (kept in cookie) are contacted by loading it with a parameter in hidden iframes. I tried the same with images.
On these sites a rewrite rule is in place that detects that parameter and then retracts the cookie (set the date in the past) and redirects to a page on the module site (or an image on the module site).
This scheme is working in all browsers, except IE, as it needs a P3P (Probably the reason why it is not working for images is similar).
I also tried loading a non-existent image on the source domain (that is, the domain that is using the module) through an image tag, obviously resulting in a 404. This works on all browsers, except Safari, which doesn't set cookies on 404's (at least, that is my conclusion).
My question is, how would it be possible to retract the cookie consent cookie on the connected domains, given that all I can change are the rewrite rules?
I hope that I have explained the problem well enough for you guys to give an answer, and that a solution is possible...
I am still not able to resolve this question, but when looked at it the other way around there is a solution. Using JSONP (for an example, see: Basic example of using .ajax() with JSONP?), the client domain can load information from the master server and compare that to local information.
Based on that, the client site can retract the cookie (or even replace it) and force a reload which will trigger the rewrite rules...
A drawback of this solution is that it will hit the server for every pageview, and in my case, that's a real problem. Only testing that every x minutes or so (by setting a temporary cookie) would provide a solution.
Another, even more simple solution would be to expire all the cookies on the client site every x hour. This will force a revisit of the main domain as well.

how can cookies track users despite same origin policy?

Article here discusses tactics used by political campaigns.
http://www.nytimes.com/2012/10/14/us/politics/campaigns-mine-personal-lives-to-get-out-vote.html
The part in question is quoted:
The campaigns have planted software known as cookies on voters’
computers to see if they frequent evangelical or erotic Web sites for
clues to their moral perspectives. Voters who visit religious Web
sites might be greeted with religion-friendly messages when they
return to mittromney.com or barackobama.com.
How is that possible? I thought all modern browsers have same origin policy security where website A doesn't have access to any information about other website B, website C, etc.
The article makes it sound like a user browses:
1. presidentialcandidate.com
2. website2.com
3. website3.com
4. website4.com
5. presidentialcandidate.com
How can a cookie from visit #1 track user history and be revealed in visit #5?
It's true that browsers commonly won't accept or send cookies set for a different domain than the request itself. While actual implementations vary, one straightforward technique is using third-party cookies. If website2.com, website3.com and website4.com all embed resources from presidentialcandidate.com -- for example, an advertisement in an iframe, or a 1x1 pixel image -- and the user's browser accepts and sends third-party cookies, then presidentialcandidate.com can learn, through setting and retrieving of the cookie and HTTP referer headers, that the visitor has previously visited those sites.
RFC 6265 discusses the privacy implications of third-party cookies in greater detail.
It may not always be resources from presidentialcandidate.com that are enabling this process. For example, some services use cookie syncing to align cookie identifiers between services (a description of cookie syncing in one scenario).