Page MenuHomePhabricator
Create Task
Maniphest T107598

Spike [2 hours]: How to ensure that every session only can submit a survey result once (quick survey)
Closed, ResolvedPublic
Actions

Description

How do we avoid a malicious user sending multiple answers and skewing the survey results?

This applies only to the quick survey, the external surveys will deal with it.

Seems like from the event logging results we can group by a combo of fields (user agent + ip hash + others) to get a fairly unique identifier for a user, then we would be able to see malicious users and investigate if we should remove them from the results.

  • How do we identify malicious users in the survey results.
  • Any other issues we should be thinking about?

Related Objects
Search...

Event Timeline

Jhernandez created this task.Jul 31 2015, 4:34 PM
Jhernandez raised the priority of this task from to Medium.
Jhernandez updated the task description. (Show Details)
Jhernandez added a project: Reading-Web-Sprint-53-12-Monkeys.
Jhernandez subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 31 2015, 4:34 PM
Jdlrobson subscribed.Jul 31 2015, 6:22 PM

Not easily... It really comes down to where we store the results and whether we store session ids. EventLogging? Given the surveys are sampled it would be hard for an anon to cheat the survey and impossible for a logged in user.

Jhernandez added a subscriber: dr0ptp4kt.Aug 3 2015, 10:52 AM

@Jdlrobson I asked @dr0ptp4kt about this and he told me it should be fairly easy to group the survey results from the event logging data by a combo of user agent+a few other things to see if there are any offenders and remove them from the results, so it seems like this may be a non-issue.

I'd like to clarify the fields we would group by from the EL data and any other issues we may find though, that's what the spike is for.

Jhernandez updated the task description. (Show Details)Aug 3 2015, 10:54 AM
Jhernandez set Security to None.
KLans_WMF renamed this task from Spike: How to ensure that every session only can submit a survey result once (quick survey) to Spike [2 hours]: How to ensure that every session only can submit a survey result once (quick survey).Aug 3 2015, 4:24 PM
KLans_WMF moved this task from Needs Analysis to To Do on the Reading-Web-Sprint-53-12-Monkeys board.
bmansurov claimed this task.Aug 4 2015, 8:25 PM
bmansurov moved this task from To Do to Doing on the Reading-Web-Sprint-53-12-Monkeys board.
bmansurov added a comment.Aug 4 2015, 10:29 PM

We could use a combination of the following fields from the database: clientIp and userAgent.

We could also send/store a unique random token per browser and use it for filtering. It can be generated using mw.user.id(). This will be equal to the username for logged in users.

bmansurov moved this task from Doing to Code Review on the Reading-Web-Sprint-53-12-Monkeys board.Aug 4 2015, 11:08 PM
dr0ptp4kt added a comment.Aug 4 2015, 11:15 PM

I think for now we should be okay without the additional field, and we can deal with abuse later should it surface.

phuedx moved this task from Code Review to Ready for Signoff on the Reading-Web-Sprint-53-12-Monkeys board.Aug 5 2015, 10:16 AM
Jhernandez added a comment.Aug 5 2015, 10:37 AM

Also I don't think we want to log username+answers on an identifiable way.

Let's keep clientIp and userAgent in mind then. Thanks @bmansurov

Jhernandez closed this task as Resolved.Aug 5 2015, 11:45 AM
Jhernandez moved this task from Ready for Signoff to Done on the Reading-Web-Sprint-53-12-Monkeys board.
Jhernandez added a project: QuickSurveys.Aug 11 2015, 10:50 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL