Google analytics illegal cookie breaks Python backend

Question

In my feed that is published to feedburner I have Russian characters in campaign name in tracking settings Feed: ${feedUri} ${feedName}. The problem is that it results as incorrect __utmz cookie set by Google Analytics, and cannot be processed by my backend (which is web.py).

  File "/home/dw0rm/lib/ve/lib/python2.7/site-packages/web/session.py", line 96, in _load
    self.session_id = web.cookies().get(cookie_name)
  File "/home/dw0rm/lib/ve/lib/python2.7/site-packages/web/webapi.py", line 359, in cookies
    cookie.load(ctx.env.get('HTTP_COOKIE', ''))
  File "/usr/local/lib/python2.7/Cookie.py", line 627, in load
    self.__ParseString(rawdata)
  File "/usr/local/lib/python2.7/Cookie.py", line 660, in __ParseString
    self.__set(K, rval, cval)
  File "/usr/local/lib/python2.7/Cookie.py", line 580, in __set
    M.set(key, real_value, coded_value)
  File "/usr/local/lib/python2.7/Cookie.py", line 455, in set
    raise CookieError("Illegal key value: %s" % key)
CookieError: Illegal key value: )|utmcmd

This error occurred in Firefox, and I have managed to fix it with this code:

def myinternalerror():
    try:
        web.cookies()
    except CookieError:
        if not "cookie_err" in web.input():
            web.setcookie("__utmz", None, domain=web.ctx.host)
            raise web.seeother(web.changequery(cookie_err=1))
    return web.internalerror(render.site.e500())
app.internalerror = myinternalerror

But today I got this "cookie_err=1" redirect even in Chrome. I tried this on some other sites that are based on web.py and Analytics, and they all raise internal server error. And this error keeps until the illegal cookie is removed, which is a difficult thing to do by a regular visitor.

I want to know what other options I should consider. Maybe Python Cookie module is incorrect, or it is browser's bug that lets in incorrect cookie. This stuff can be used for malicious purposes, because there are many Python websites that use Google Analytics and Cookie module.

This is tracking query: utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+cafenovru+%28%D0%9E%D0%BF%D0%B8%D1%81%D1%8C+%D1%82%D1%80%D0%B0%D0%BF%D0%B5%D0%B7%D0%BD%D1%8B%D1%85+%D0%92%D0%B5%D0%BB%D0%B8%D0%BA%D0%BE%D0%B3%D0%BE+%D0%9D%D0%BE%D0%B2%D0%B3%D0%BE%D1%80%D0%BE%D0%B4%D0%B0%29

Incorrect __utmz cookie value is 37098290.1322168259.5.3.utmcsr=feedburner|utmccn=Feed:%20cafenovru%20(Опись%20трапезных%20Великого%20Новгорода)|utmcmd=twitter

Illegal cookie is set by Analytics javascript on the first page access, and server side error appears on subsequent requests.

Answer 1

I know this is probably not the answer you're looking for, but the best solution for this bug is to just upgrade from ga.js to analytics.js. Analytics.js is the newest version of the Google Analytics web tracking library and is part of universal analytics. Analytics.js only writes a single cookie, so it completely avoids this problem.

The tricky problem with this bug is its been around for a long time, and many GA users have existing workarounds in place. To fix it now would break a lot of those sites, so I think it's unlikely that Google will do anything about it, especially since analytics.js has already fixed this problem, and ga.js will soon be deprecated.

Once again, I know this isn't the answer you're looking for, but I just want to reiterate that implementing any workaround for this issue yourself will most likely be a huge waste of time. You'll have to upgrade soon anyway, and then your workaround will have been unnecessary.

Here's some more information on how analytics.js uses cookies: https://developers.google.com/analytics/devguides/collection/analyticsjs/domains

Answer 2

This smells like a UTF-8 encoding issue. Or worse, you might be using KOI8-R or Windows 1251.

In any case, there are ways to avoid problems. One way is to Base64 encode your cookie string before you send it, that way the Cyrillic characters are safely hidden.

But have a look at your code. If you are not UTF-8 encoding the cookie string before writing it out, that might also solve the problem. When I look through the string it seems to be pairs of codes with the first code always being D0 or D1. That suggests that you are using raw Unicode on a Python compiled with 16-bit Unicode characters, or using UCS-2 encoding for the string instead of UTF-8.