Improvements #13879
closedImprovements #13877: Be less permissive to bots
Do not generate session-related parameters to bots
0%
Description
When a bot requests a page, they will (likely) be given a HTML-only page. Wt is quite event-driven, and will try to remain so.
For a normal session (even without JS), it will attach wtd and signal to ensure that the server side can remain consistent with the client side. The session remains alive on the server, and by means of the wtd it can match incoming requests to sessions. signals will be used to track certain other events (like navigation).
For sessions detected as bots this is all irrelevant. They have no persistent session, as their session gets killed immediately after the response is served to them.
This means that any output generated by Wt that would normally carry a wtd or signal will not be useful in the context of a bot environment.
We should ensure that wtd and signal parameters are not generated as output, and placed into the resulting HTML that Wt serves to the client. That way bots will not try to recursively call pages, or make requests that make no sense within a sessionless application.
Updated by Romain Mardulyn 3 months ago
- Status changed from New to InProgress
- Assignee set to Romain Mardulyn
Updated by Matthias Van Ceulebroeck 3 months ago
- Status changed from InProgress to Rejected
- Assignee deleted (
Romain Mardulyn) - Target version deleted (
4.12.1)
This has been the case for user-agents detected as bots already. Only recently did some configuration change for the widget gallery that allowed this functionality to be correctly used. (i.e. the correct .*bot.*, and not only .*Bot.*).