Stop setting statsig_stable_id as cookie #65673
Conversation
| @@ -51,6 +51,7 @@ def link_email | |||
| user: existing_user, | |||
| event_name: 'lti_user_signin', | |||
| metadata: metadata, | |||
| session: session, | |||
There was a problem hiding this comment.
Passing in session here to extract the statsig_stable_id. We are not including a stable ID in a lot of the LTI related event logs, however given that this functionality links a user who launched from an LMS to an existing user account, I think it could be helpful to include a stable ID in the log. Or maybe not 🤷♂️
There was a problem hiding this comment.
Did you check to make sure there isn't a security or privacy issue with logging the whole session? How big is the session? I think we were having issues for a long time because we were storing too much data in Cookies, so we moved it to the session. Now I'm concerned we are dumping a lot more data into this event. I think it's a little risky for "may be useful". If there is a lot of data, this code could instead be specific about which data from the session is being logged.
There was a problem hiding this comment.
I think my comment is confusing, I've re-worded it.
It doesn't log the session. We persist the statsig_stable_id in session (in the application_controller.rb above), then inside of Metrics::Events.log_event, we dig it out of the session (link to below). In order to access session from a non-controller (I.e. the Metrics::Events module), we have to pass in session as it doesn't have access to it.
There was a problem hiding this comment.
Basically what this functionality does is, if you want to include the stable ID in the event you're logging, you pass in the session to the log_event method, and it will extract it. If you don't care about including a stable ID, you can chose to not pass in the session. There are a lot of places where were weren't including the stable ID in the event, because we already have a signed-in user (therefore a user ID). However this account linking step is the case where a user launches from an LMS, and they can chose to continue with creating a new user or link to an existing account. I figured it could be helpful to include the stable ID in this step, which is why I added it.
apps/src/metrics/statsigHelpers.js
Outdated
| @@ -13,15 +11,8 @@ export function getUserType() { | |||
| } | |||
|
|
|||
| export function findOrCreateStableId() { | |||
There was a problem hiding this comment.
nit This doesn't "Create" a stable ID anymore.
There was a problem hiding this comment.
Good call. Actually now I'm wondering if I should have it create a stable ID in the case it doesn't get one passed to it from the backend 🤔
There was a problem hiding this comment.
Well, except that we wouldn't have anywhere to store it if we created one here (can't use a cookie like before). This would run on each page load and generate a new ID each time, which would not be very "stable". I think I'll just change the name and expect that it will be passed from the backend.
| @@ -51,6 +51,7 @@ def link_email | |||
| user: existing_user, | |||
| event_name: 'lti_user_signin', | |||
| metadata: metadata, | |||
| session: session, | |||
There was a problem hiding this comment.
Did you check to make sure there isn't a security or privacy issue with logging the whole session? How big is the session? I think we were having issues for a long time because we were storing too much data in Cookies, so we moved it to the session. Now I'm concerned we are dumping a lot more data into this event. I think it's a little risky for "may be useful". If there is a lot of data, this code could instead be specific about which data from the session is being logged.
- Set statsig_stable_id in session - Pass id to frontend via script tag functionality Signed-off-by: Nick Lathe <[email protected]>
- Session was added to Metrcis::Events.log_event in places that are
unecessary, due to having a signed_in user
- .dig for statsig_stable_id from session with safe navigation operator - Remove unecessary line that clears cookies during logout
nicklathe
force-pushed
the
P20-1505/remove-statsig-stable-id-cookie
branch
from
16e4995 to
5d981b9
Compare
📝 PR Overview
This PR updates how we capture signed-out user metrics in order to align with our cookie policy and fix a OneTrust integration issue.
🔍 Background
Previously, we used a
statsig_stable_idcookie to uniquely identify user sessions for Statsig. This allowed Statsig to stitch anonymous events (signed-out users) and associate them with a signed-in user later.However:
✅ What this PR changes
To address the above, we now:
statsig_stable_idin the server-side session (instead of a cookie)This approach preserves the ability to capture anonymous user metrics without violating cookie restrictions or breaking OneTrust.
Links
Testing story
Deployment strategy
Follow-up work
Privacy
Security
Caching
PR Checklist: