Analytics
2K members online now
Understand information in your reports and troubleshoot reporting issues such as self-referrals, (not set) data, and inaccurate information
 
Guide Me
star_border
Reply

Landing Page Reports Shows Username & Password

[ Edited ]
Follower ✭ ✭ ☆
# 1
Follower ✭ ✭ ☆

I have a website that has registration & login functionality for the users. 

 

Upon checking Google Analytics, the landing page section is displaying many URLs with the username and passwords of the users who logged in to the website. Also, the events reports does give the same. 

 

Here is how it is being displayed: https://example/com//?uName=XXXXXXX&pwd=YYYYYY

 

My requirement is - the URLs with the above format (including username and passwords) should not be tracked and reported in Google Analytics. 

 

Can someone please help me with a permanent solution? 

1 Expert replyverified_user

Re: Landing Page Reports Shows Username & Password

Top Contributor
# 2
Top Contributor
Hi Sri
Google Analytics simply pulls whatever is displayed in the URL.
It's extremely poor security practice to be sending your users usernames and passwords in a GET request instead of a POST request. This is something that you should be more concerned about than the reporting mess in my opinion.

If you and your users are happy for their private details to be sent in plain text, then that's your prerogative. If you want to get rid of the usernames and passwords in the reports, you can use a custom filter that uses search and replace with a regex: https://support.google.com/analytics/answer/1033162?hl=en

Again, it would be preferable not to be sending this data to Google at all as I'm pretty sure it violates the personally identifiable information policy, so I'd speak to your webmaster immediately about this to get it resolved.

As a final note, you could simply remove the GA code on the login page and that would prevent this from happening. Unless of course the username and password stay in the URL as the user browses their account area.

Hope that helps somewhat.

Re: Landing Page Reports Shows Username & Password

Follower ✭ ✭ ☆
# 3
Follower ✭ ✭ ☆
Hi Dave,

Thanks for your quick reply.
We have used POST not GET, still we are facing this problem.

Is there any way other than removing the GA code for login page, since it is extremely important for me to track the number of users who would login/sign-up.

Thanks,
Sri

Re: Landing Page Reports Shows Username & Password

Follower ✭ ✭ ✭
# 4
Follower ✭ ✭ ✭

Hi Sri,

 

concerning the URLs, you can remove those two parameters from Google Analytics reports, by properly configuring "Exclude URL Query Parameters" box, in the Admin --> View settings, like in the following screenshots:

 

Example of Account, Property and View settingsExample of Account, Property and View settings

 

View settingsView settings

 

Exclude URL Query Parameter boxExclude URL Query Parameter box

 

This should be done for every View reporting these data.

 

Notice: this doesn't mean that the information gets not tracked at all; in fact, the full URL is sent to Google Analytics servers, along with all the others tracking data; with the above configuration, this information gets removed from the reports.

 

However, appending user name and password to a query string is a heavily bad practice (think what could happen if some of these URLs get indexed by search engines... Or if such URL gets suggested by the browser when a different user start typing the main domain in the navigation bar...), so I would strongly recommend to change this kind of website implementation, pass these parameters as POST variables and others security measures that would be too long to report here... please notice that this has nothing to do with analytics, but with web development best practices in general.

 

Concerning the event tracking of user name and password, this means that there is some tracking code implemented in the website that tracks these information as events.

 

This tracking code could be directly implemented in the website, or it could have been implemented via a tag manager, like Google Tag Manager. In this latter case, the event tag could be modified via the tag manager panel.

 

In either cases, I think the quickest solution would be to modify the tracking implementation and remove this information from the login and registration events.

 

Hope it helps.

 

Best,

Gabriele

Marked as Best Answer.
Solution
Accepted by topic author Shashank S
June 2016

Re: Landing Page Reports Shows Username & Password

Follower ✭ ✭ ✭
# 5
Follower ✭ ✭ ✭
Sorry I have read now Dave's post and your reply to Dave, where you say that you are using POST variables for username and password.

In this case it is strange that you see this information in the GA data, because by default in the landing page report is shown the URL as primary dimension, and in the URL you should not see any POST data.

If you see them, it means one of the following two things:

1) You are inadvertently sending this parameters also as GET variables, so there are real URLs on your website that contain passwords and usernames. In this case you should remove them asap.

2) There are no real GET variables sent and real URLs with password appended, but the GA tracking code has been configured for tracking a virtual URL that is composed by the real URL + the POST parameters appended in query string.

In this case, you could apply the View settings configuration I already posted before (or equivalently apply a search and replace filter as Dave suggested) or modify the tracking code implemented in the website, by removing the username and password from the tracked virtual URL (I would go with this second solution, that is more secure).

Hope it helps.
Gabriele

Re: Landing Page Reports Shows Username & Password

Follower ✭ ✭ ☆
# 6
Follower ✭ ✭ ☆
Hi Gabriele,

Thanks a lot for the detailed insight.
I will come back to you shortly with the results.

Regards,
Sri