DFE-Digital · DrizzlyOwl · Dec 9, 2024 · Jun 13, 2024
diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/Public/Cookies.cshtml b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/Public/Cookies.cshtml
@@ -117,6 +117,8 @@
             </tbody>
         </table>
         <h2 class="govuk-heading-l">Analytics cookies (optional)</h2>
+
+        <h3 class="govuk-heading-s">Google Analytics</h3>
         <p class="govuk-body">With your permission, we use Google Analytics to collect data about how you use this
             website. This information helps us to improve our website.</p>
         <p class="govuk-body">Google Analytics is not allowed to use or share our analytics data with anyone.
@@ -127,8 +129,7 @@
             <li>any errors you see while using this website</li>
             <li>what you click on while you are visiting the website</li>
         </ul>
-
-
+        <p class="govuk-body">Google Analytics stores the following cookies:</p>
         <table class="govuk-table" aria-label="Google analytics cookies">
             <thead class="govuk-table__header">
                 <tr>
@@ -150,6 +151,46 @@
                 </tr>
             </tbody>
         </table>
+
+        <h3 class="govuk-heading-s">Application Insights</h3>
+        <p class="govuk-body">We use Azure Application Insights software to collect information about how you use this website. We do this to help make sure the site is meeting the needs of its users and to help us make improvements.</p>
+        <p class="govuk-body">Azure Application Insights stores information about:</p>
+        <ul class="govuk-list govuk-list--bullet">
+            <li>the pages you visit on this website</li>
+            <li>how long you spend on each page</li>
+            <li>how you got to the site</li>
+            <li>what you click on while you're visiting the site</li>
+        </ul>
+        <p class="govuk-body">We don't allow Microsoft to use or share our analytics data.</p>
+
+        <p class="govuk-body">Azure Application Insights sets the following cookies:</p>
+        <table class="govuk-table" aria-label="App Insights cookies">
+            <thead class="govuk-table__head">
+                <tr class="govuk-table__row">
+                    <th scope="col" class="govuk-table__header">Name</th>
+                    <th scope="col" class="govuk-table__header">Purpose</th>
+                    <th scope="col" class="govuk-table__header">Expires</th>
+                </tr>
+            </thead>
+            <tbody class="govuk-table__body">
+                <tr class="govuk-table__row">
+                    <td class="govuk-table__cell">ai_session</td>
+                    <td class="govuk-table__cell">This helps us track activity happening over a single browser session</td>
+                    <td class="govuk-table__cell">1 hour</td>
+                </tr>
+                <tr class="govuk-table__row">
+                    <td class="govuk-table__cell">ai_user</td>
+                    <td class="govuk-table__cell">This helps us to identify the number of distinct users accessing the site over time by tracking if you've visited before</td>
+                    <td class="govuk-table__cell">1 year</td>
+                </tr>
+                <tr class="govuk-table__row">
+                    <td class="govuk-table__cell">ai_authuser</td>
+                    <td class="govuk-table__cell">This helps us to identify authenticated users and how they interact with the site</td>
+                    <td class="govuk-table__cell">When you close your browser</td>
+                </tr>
+            </tbody>
+        </table>
+
         <form method="post">
             <div class="govuk-form-group">
                 <fieldset class="govuk-fieldset">
@@ -180,4 +221,4 @@
                 data-module="govuk-button" data-disable-with="Save changes">
         </form>
     </div>
-</div>
+</div>
diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/Shared/_Layout.cshtml b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/Shared/_Layout.cshtml
@@ -3,7 +3,8 @@
 @inject Microsoft.FeatureManagement.IFeatureManager _featureManager
 
 @{
-    var showAnalytics = _configuration["GoogleAnalytics:Enable"] == "Yes" && _analytisConsentService.HasConsent();
+    var hasConsented = _analytisConsentService.HasConsent();
+    var showAnalytics = _configuration["GoogleAnalytics:Enable"] == "Yes" && hasConsented;
 
     var titleDescription = Context.Request.Path == "/project-type"
         ? string.Empty
@@ -12,7 +13,8 @@
 
     var widePage = ViewData["WidePage"] != null ? "mfsp-wider-page" : string.Empty;
 
-
+    bool.TryParse(_configuration["ApplicationInsights:BrowserAnalyticsEnabled"], out bool enableAppInsightsBrowserAnalytics);
+    var authenticatedUserId = Context.User.Identity is not null && Context.User.Identity.IsAuthenticated ? Context.User.Identity.Name ?? "Unknown" : "Anonymous";
 }
 
 <!DOCTYPE html>
@@ -34,6 +36,21 @@
     }
 
     <meta charset="utf-8" />
+    @if (hasConsented && enableAppInsightsBrowserAnalytics)
+    {
+        <!-- Application insights -->
+        <script type="text/javascript" integrity="sha384-g/ZkzetdQypWdY0NBZT5r2L3BR9/hURD8OBcd1rEaBpgX6QC7EaTL+o+mzWrBcXW" crossorigin="anonymous" src="https://js.monitor.azure.com/scripts/b/ext/ai.clck.2.8.18.min.js"></script>
+        <script type="text/javascript" asp-add-nonce>
+            window.appInsights = {
+                connectionString: '@_configuration["ApplicationInsights:ConnectionString"]',
+                authenticatedUserId: '@authenticatedUserId'
+            }
+        </script>
+        <script type="text/javascript" src="~/dist/application-insights.min.js" asp-add-nonce></script>
+        <!-- End Application insights -->
+    }
+
+    <meta charset="utf-8"/>
 
     <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
     <meta name="theme-color" content="#0b0c0c">
@@ -114,8 +131,8 @@
             <partial name="Footer/_Footer" />
         }
     }
-    
+
     <script src="~/dist/accessible-autocomplete.min.js" asp-add-nonce></script>
     <script src="~/dist/site.js" asp-add-nonce></script>
 </body>
-</html>
+</html>
diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/_ViewImports.cshtml b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/_ViewImports.cshtml
@@ -4,4 +4,4 @@
 @using Dfe.ManageFreeSchoolProjects.Extensions
 @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
 @addTagHelper *, Dfe.ManageFreeSchoolProjects
-@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
+@addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
diff --git a/...ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Services/AnalyticsConsentService.cs b/...ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Services/AnalyticsConsentService.cs
@@ -25,9 +25,9 @@ public AnalyticsConsentService(IHttpContextAccessor httpContextAccessor, IConfig
             var domain = _configuration["GoogleAnalytics:Domain"];
             if (!string.IsNullOrEmpty(domain))
             {
-				AnalyticsDomain = domain;
-			}
-		}
+                AnalyticsDomain = domain;
+            }
+        }
 
         public bool? ConsentValue()
         {
@@ -66,20 +66,20 @@ private void SetConsent(bool consent)
             _httpContextAccessor.HttpContext.Response.Cookies.Append(ConsentCookieName, consent.ToString(), cookieOptions);
             var request = _httpContextAccessor.HttpContext.Request;
 
-			if (!consent)
+            if (!consent)
             {
                 foreach (var cookie in request.Cookies.Keys)
                 {
-                    if (cookie.StartsWith("_ga") || cookie.Equals("_gid"))
+                    if (cookie.StartsWith("_ga") || cookie.Equals("_gid") || cookie.StartsWith("ai_"))
                     {
                         //Delete if domain is the same
-						_httpContextAccessor.HttpContext.Response.Cookies.Delete(cookie);
+                        _httpContextAccessor.HttpContext.Response.Cookies.Delete(cookie);
                         //Delete if domain matches - need both as we wont be sent the cookie if the domain doesnt match
-						_httpContextAccessor.HttpContext.Response.Cookies.Delete(cookie, new CookieOptions() { Domain = AnalyticsDomain});
-					}
+                        _httpContextAccessor.HttpContext.Response.Cookies.Delete(cookie, new CookieOptions() { Domain = AnalyticsDomain, Secure = true });
+                    }
                 }
             }
         }
     }
 
-}
+}
diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Startup.cs b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Startup.cs
@@ -161,7 +161,10 @@ public void ConfigureServices(IServiceCollection services)
                }
            });
 
-        services.AddApplicationInsightsTelemetry();
+        services.AddApplicationInsightsTelemetry(options =>
+        {
+            options.ConnectionString = Configuration["ApplicationInsights:ConnectionString"];
+        });
 
         services.AddHttpClient("MfspClient", (_, client) =>
         {

diff --git a/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/appsettings.json b/Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/appsettings.json
@@ -25,7 +25,8 @@
     "AllowedRoles": "user"
   },
   "ApplicationInsights": {
-    "ConnectionString": "secret"
+    "ConnectionString": "secret",
+    "BrowserAnalyticsEnabled": false
   },
   "CypressTestSecret": "secret",
   "AuthenticationExpirationInMinutes": 60,