How to configure "Usage Statistics" plugin settings

mattias.olsson · August 18, 2021, 1:16pm

Hi!
I cant seam to find any information on how to configure the “Usage statistics” plugin settings.
I wish to anonymize statistics due to GDPR but i cant find any info on how to create the salt file that should be readable by the web server user

Im running OJS 3.x on RedHat Linux.

These are the settings i wish to use:

Data privacy option
To ensure data privacy, you must specify a file readable and writable by the web … ; the function openssl_random_pseudo_bytes, which requires the PHP openssl; the file /dev/urandom, … salt …

File path for the anonymizing salt
Activate this option to use a plugin version that respects privacy legislations, i.e. that is logging hashed IP addresses, informs the users about the tracking and provides an opt-out option for users. Note: when using this option you will not be able to use the geo features of the plugin.

**Respect data privacy**

Thanks all!

israel.cefrin · August 18, 2021, 3:22pm

Hi @mattias.olsson

You can read about data anonymization from PKP Documentation website:
https://docs.pkp.sfu.ca/gdpr/en/configuration-options

Anonymize usage data. OJS and OMP both have a Usage Statistic plugin that provides detailed metrics on page views and galley file downloads. It also creates and stores log files containing detailed information including IP address, date/time visited, page views, and browser information. This plugin does have a “Respect data privacy” option that will hash IP addresses, and inform visitors that this data is being tracked (with an option to opt-out). More information is available in the following locations:

OJS 2: Journal Management > System Plugins > Generic Plugins > Usage Statistics Plugin > Settings.

OJS/OMP 3: Settings > Website > Plugins > Generic Plugins > Usage Statistics Plugin > Settings.

Enabling the “Respect data privacy” option will require direct system administrator assistance.

Best,
Israel Cefrin
PKP Team

mattias.olsson · August 19, 2021, 6:07am

@israel.cefrin Thanks!
That is the page that i have found but it doesn’t say how to create the “salt” file to use with “php openssl”

israel.cefrin · August 20, 2021, 1:56pm

Hi @mattias.olsson

The salt parameter is a random hash to include in the config.inc.php file. You can create it manually or using some online password generator.
You will need to adjust the parameter in your config.inc.php file:

github.com

pkp/ojs/blob/main/config.TEMPLATE.inc.php#L262

    
      
          ; Enabling this option provides some amount of additional security, but may
          ; cause problems for users behind a proxy farm (e.g., AOL).
          session_check_ip = On
          
          
; The encryption (hashing) algorithm to use for encrypting user passwords
          ; Valid values are: md5, sha1
          ; NOTE: This hashing method is deprecated, but necessary to permit gradual
          ; migration of old password hashes.
          encryption = sha1
          
          
; The unique salt to use for generating password reset hashes
          salt = "YouMustSetASecretKeyHere!!"
          
          
; The unique secret used for encoding and decoding API keys
          api_key_secret = ""
          
          
; The number of seconds before a password reset hash expires (defaults to 7200 / 2 hours)
          reset_seconds = 7200
          
          
; Allowed HTML tags for fields that permit restricted HTML.
          ; Use e.g. "img[src,alt],p" to allow "src" and "alt" attributes to the "img"

; The unique salt to use for generating password reset hashes
salt = "YouMustSetASecretKeyHere!!"

You can use a free service to generate the password for the salt parameter:
https://www.random.org/strings/

Please, read more about it from this Documentation link:
https://docs.pkp.sfu.ca/admin-guide/en/securing-your-system#the-basics

Best,
Israel Cefrin
PKP Team

mattias.olsson · August 23, 2021, 6:16am

Thank you @israel.cefrin!
I know of that salt setting i the config but the documentation talks about “password reset”, cant see the connection to anonymizing access data, ipś in logs ad so on.

Again, thanks!

muellerscheessel · August 24, 2021, 3:34pm

The salt is set in a separate txt-file which you put in your files-folder. You then specify the path in the usage-plugin.
BTW, you are not the first with this problem (see this thread).

mattias.olsson · August 25, 2021, 6:07am

Thanks @muellerscheessel , i saw that thread.
I made a text file with a generated salt string. But i put it outside of the web three, think its working Thanks!

bozana · August 30, 2021, 12:52pm

I see the issue is solved
Maybe then just to confirm here that the salt in the config.ini is not the same as the salt file needed for usage stats. The salt file for usage stats has to be created by the system admin – it is a text file that should be readable and writable for the web user. The file content will be created automatically and will change daily, so that the hashed IP can not be decrypted.
To see if everything is OK, one could

Generate the file on the server somehow (I don’t know how, or where to store it, etc.)
Provide a full link to the file in the “File path for the anonymizing salt” parameter in the usage plugin
Check the “Respect data privacy” checkbox
After saving the usage plugin settings and after some usage of the web site happened
Check if the salt is in the file and if the IP address in the usage stats log file is hashed

mattias.olsson · August 30, 2021, 1:19pm

@bozana Thanks! Your solution sounds correct! I used the same file for both which sounded wired. This plugin is not so well documented, maybe i will post a howto when and if everything is working
Thanks!!

mattias.olsson · August 30, 2021, 1:32pm

@bozana Tested you suggestions and it works great!
Created a empty text file (on Linux) with touch /path/file and gave the web server read and write permissions. Added the file to the statistics plugin, then some random surfing on the site it self. A salt was created and everything looks great

Thanks for a great reply!!!