I was just wondering, when we are trying to implement an ‘Event Tracking’ mechanism on our web application, should the ‘Event Tracking’ be tied to a session? I noticed that a lot of Event Tracking endpoints allow their users to intercept the request and freely change the content (userId, eventTime and etc.). Being able to freely change the content would allow attackers to spam the Event Tracking data, which would produce an inaccurate data for the internal team right? Should developers perform a check whether the userID is the same as the user currently issuing the request first?
I have been reading OWASP Top 10 articles regarding Insufficient Logging and Monitoring, is the behavior described above vulnerable to the Insufficient Logging and Monitoring?