URL Routing for Admin Area

Hey All!

I'm developing a site for a client and he would prefer to have "pretty urls" for the admin area and remove the token string.

I'm working to create a separate version of the seo_url controller to use in the admin area but I'd like to pick the brains of any other devs to see what might be the best way to make it work without a bunch of user intervention.

In other words, we can't add all these pages to the url_alias table, the router needs to be able to route and rewrite urls based on what already exists as opposed to entering keywords as we do with products, information etc. Obviously some dynamic routing would be best as opposed to adding each possible call to the seo_url controller.

And then there's the token ... maybe I'm not getting it completely, but the token is already set in the session, it seems redundant to me to have to pass the token in the request. In the current schema we're testing to see if the user is logged in, we're testing if the token is passed in the request, and then we're testing the request token against the session token.

Is there some reason I'm missing that the token can't be linked to the $user->login so that we can simply test the logged in token with the session token?

Anyway, I'd appreciate an thoughts and advice on knocking this out, then of course I'll be happy to share it with the community.

Thanks guys!

-V

subdivide wrote:And then there's the token ... maybe I'm not getting it completely, but the token is already set in the session, it seems redundant to me to have to pass the token in the request.

No, that's the entire point. It prevents CSRF attacks.

https://www.owasp.org/index.php/Cross-S ... %28CSRF%29

And the millions of other websites with admin and member's areas that don't pass a token in the url? How do they manage to survive?

This is simply a lazy and ugly way to do it. You could add the token anywhere into any object and get the same result without all the ugliness.

Just sayin ...

Are you freakin' kidding me? Tokens are used all over the damn place.

You're clearly not understanding the point here.

rph wrote:You're clearly not understanding the point here.

I didn't start this topic to get into a pissing contest about tokens, but since since you want to be a know it all, perhaps you should reread the article you referenced:

Disclosure of Token in URL

While this control does help mitigate the risk of CSRF attacks, the unique per-session token is being exposed for GET requests. CSRF tokens in GET requests are potentially leaked at several locations: browser history, HTTP log files, network appliances that make a point to log the first line of an HTTP request, and Referrer headers if the protected site links to an external site.

Perhaps you could use your knowledge to help answer the question at hand and quit the fan boy fussing about the virtues of tokens?

Thanks.

Fanboy? Really? If you don't understand the purpose of tokens that's fine but don't blame it on me. They're used all over the place. cPanel, phpMyAdmin, Magento, Zen Cart, Drupal, etc.

I completely understand the purpose but you're missing the point.

The admin section is the most flexible area of the framework, I can put it anywhere, under any url, on a different server, on my local machine ... it's the least vulnerable part of the script.

If tokens are such a crucial part of the equation, why don't we see them in the account and affiliate areas where the access paths are publicly available, and phishing emails or other attacks would do the most damage.

I find it hard to believe that any decent admin is going to fall for clicking on a link in an email or whatever attack is engineered to their own site. Maybe I'm too optimistic.

Aside from which I never said that they should be eliminated, I simply said it should be done more elegantly than an ugly link in the browser.

I appreciate your thoughts on tokens ... so can we move on and get back to the real question please?

Thanks.