Post by RideTheWave » Tue Jul 18, 2017 7:11 am

If I logged into the OpenCart admin on a public computer, would there be any harm if someone saw and copied the exact url I was visiting? For example, one of the url's might be something like this:

Code: Select all

mydomain.com/admin/index.php?route=common/dashboard&token=JdiNzK.......6XVoZg
I noticed that url includes a token ID. If someone had seen that url & somehow copied it, would they be able to access the admin on another computer at a different time? Or is there any other harm that could come if someone knew the url's you were visiting when logged into the admin?

Right now, I'm assuming it's safe because the token ID's eventually change after a period of time. But if someone had the url at a time when the token hadn't yet expired, would they be able to log into the admin? Or is there some safeguard that identifies a token with a specific computer only?

New member

Posts

Joined
Fri May 19, 2017 8:29 am

Post by GoGo OpenCart » Tue Jul 18, 2017 7:43 am

Login to Chrome, copy the URL, past it in Firefox, and you'll see that's not possible to login just with the URL, even on the same computer, let alone on another one ;)

See all my extensions: https://www.opencart.com/index.php?rout ... 20OpenCart


User avatar
Active Member

Posts

Joined
Mon Nov 14, 2011 11:30 pm

Post by RideTheWave » Tue Jul 18, 2017 8:22 am

Thanks, this is great to know. So does this token system insert something into the browser (similar to cookies) which only that particular browser can use? And logging out of the admin removes whatever was inserted?

What if I was on vacation and I wanted to log into the admin on the hotel's wi-fi network? Is it safe to do so? I'm pretty sure wi-fi administrators can see the url's visited on their network. Based on the answer above, I'm feeling confident that they probably wouldn't be able to see my admin pages (due to the token system). But can they see the password that I enter?

Is it safer to log into the admin on a hotel's wi-fi network or a cell phone company's data network (ie/ T-mobile, Verizon, etc.). My first thought was that it's safer with the cell company's network just because it's a lot larger and thus there'd be less chance of someone zeroing in on your particular data than a much smaller Wi-Fi network in a hotel.

New member

Posts

Joined
Fri May 19, 2017 8:29 am

Post by paulfeakins » Tue Jul 18, 2017 5:07 pm

RideTheWave wrote:
Tue Jul 18, 2017 8:22 am
Thanks, this is great to know. So does this token system insert something into the browser (similar to cookies) which only that particular browser can use? And logging out of the admin removes whatever was inserted?
Yes, a cookie, there isn't anything else.


RideTheWave wrote:
Tue Jul 18, 2017 8:22 am
What if I was on vacation and I wanted to log into the admin on the hotel's wi-fi network? Is it safe to do so? I'm pretty sure wi-fi administrators can see the url's visited on their network. Based on the answer above, I'm feeling confident that they probably wouldn't be able to see my admin pages (due to the token system). But can they see the password that I enter?
They could get your passwords unless your site uses HTTPS.


RideTheWave wrote:
Tue Jul 18, 2017 8:22 am
Is it safer to log into the admin on a hotel's wi-fi network or a cell phone company's data network (ie/ T-mobile, Verizon, etc.). My first thought was that it's safer with the cell company's network just because it's a lot larger and thus there'd be less chance of someone zeroing in on your particular data than a much smaller Wi-Fi network in a hotel.
Cell phone is safer if you don't use HTTPS. But of course, you should:
https://www.antropy.co.uk/blog/it-s-tim ... -to-https/

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Active Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom
Who is online

Users browsing this forum: acidrs and 37 guests