[MGNLPN-512] Reduce the scope of CountryDetectorFilter from session to request Created: 02/Nov/20  Updated: 11/Dec/23

Status: Open
Project: Magnolia Personalization
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Aleksandr Pchelintcev Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: dx-core-6.3, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLPN-513 Document the un-obvious implications ... Open
supersession
supersedes MGNLPN-507 Consider an in-memory ip-based cache ... Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: Throughput improvements
Team: AuthorX

 Description   
  • Unlike it was assumed, GeoIp calls emitted by the filter aren't expensive (do not make extra http calls rather relying on the local db).
  • With that it would be advisable to reconfigure the filter to use the request-scoped storage instead of the session-scoped one.
    • this way we wouldn't be creating the new sessions for anonymous users, preventing potential DoS attacks.
    • also we'd avoid potential inquiries from the privacy-matters concerned clients, who might be confused by the fact that session cookies being created where they are not expected.

Workaround:

Set https://demo.magnolia-cms.com/.magnolia/admincentral#app:configuration:browser;/modules/personalization-traits/traits/country@traitStorageClass:treeview: to info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$RequestScopedTraitStorage


Generated at Mon Feb 12 06:38:22 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.