When installing I was faced with a question about using cookies or putting the session ID in the URL. I then decided: "Mwah, if you can do it without cookies, then that's great, then we won't use cookies". But I have decided that this doesn't work for me. If you keep clicking around in one window, it all works. But I have links into the admin pages for an order from outside the shop software. So then I get a new session and need to log in again.
So I do not like the decision I made on that front. How can I revert that decision? Where is it stored?
OpenCart has never had the option to put the session ID in the URL. Are you sure you're not getting mixed up with the token? Which is something very different and needed for security.
Ok. It puts SOMETHING in the URL which means I get logged out when I want to view a second "shipping" page. (when my shop sells something I process the Email into an invoice in my homebrew invoicing system. I use my invoices as the "to ship" list and to doublecheck the shipping address I have a link there to the "shop order". )
When you follow a link to the OpenCart admin you should see the login page. However, once you login, you should be redirected to the page of the original link. Although clicking on links to your admin and logging in is a really bad idea from a security perspective.
OpenCart doesn't follow RFC 7231 and has a lot of actions that can be performed via a GET, so removing the token wouldn't be a simple process.
OpenCart doesn't follow RFC 7231 and has a lot of actions that can be performed via a GET, so removing the token wouldn't be a simple process.
Who is online
Users browsing this forum: No registered users and 8 guests
