New to Opencart...
Does Opencart always pass the session token in the URLs?
Why doesn't it use a cookie to maintain the session?
I thought I was getting logged out each time I open a new tab and load the admin dashboard, but I realised its because I'm dropping the session token from the URL.
This was a security fix added back in 1.4.8
There was a possibility that if you were logged in as admin on your site... and someone send a phishing link to your email... it could be a link that does something in your admin. Basically tricking you into running something on your own site when clicked on.
So the token was added so that you it couldn't be exploited. It is a PITA.. but security rules all
There was a possibility that if you were logged in as admin on your site... and someone send a phishing link to your email... it could be a link that does something in your admin. Basically tricking you into running something on your own site when clicked on.
So the token was added so that you it couldn't be exploited. It is a PITA.. but security rules all
Yeah there are ways to do it but it would open you to URL hackeries as src=. The token ensures no one can mask a hypothetical link like "yoursite.com/admin/delete-store" <- missing a token so the url wouldnt work, and the exploiter couldnt guess your token for the session. If it were in a cookie it would be easy to find your token via script or whatever.
Try adding this to your /admin/php.ini to increase lifetime
Also make sure that when switching between tabs they are the same token or else it will make you log in again eternally between the tabs.
Try adding this to your /admin/php.ini to increase lifetime
Code: Select all
session.use_cookies = On
session.use_trans_sid = Off
session.gc_maxlifetime = 172800
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Who is online
Users browsing this forum: No registered users and 30 guests
