Find TrackContext ID logic does not consider anonymous authentication

Fixed in

EPiServer.Find 13.2.0

Created

Jun 28, 2018

Updated

Jun 24, 2019

State

Closed, Feature request


Description

Find TrackContext ID logic does not take anonymous authenitication into account.
By our current logic, this rendesr an identical track (session) based on an empty username. This messes up statistics for those who use anonymous authentication.

We are checking HttpContext.Current.User and HttpContext.Current.User.Identity

            if (HttpContext.Current.User.IsNotNull() && HttpContext.Current.User.Identity.IsNotNull())
                {
                    this.Id = HashString(HttpContext.Current.User.Identity.Name);

These will not be null/empty if you're not logged in / anonymously authenticated.

Not logged in
System.Web.HttpContext.Current.User =

{EPiServer.Security.VirtualRolePrincipal}
System.Web.HttpContext.Current.User.Identity = {System.Security.Principal.GenericIdentity}
System.Web.HttpContext.Current.User.Identity.Name = ""

Logged in
System.Web.HttpContext.Current.User = {EPiServer.Security.VirtualRolePrincipal}

System.Web.HttpContext.Current.User.Identity =

{System.Web.Security.FormsIdentity}

System.Web.HttpContext.Current.User.Identity.Name = "random.name.goes.here"

One approach could be to also check Request.IsAuthenticated, which should exclude anonymously authenticated users.