SuperCharlie Posted May 29, 2012 Share Posted May 29, 2012 Ok.. in a way I kinda like this but the security nerd in me has to say something. In both the latest 1.4 version an the latest 1.5 beta, if you log in to the admin, click somewhere, create a bookmark or copy the url, close the browser, then open the browser and click the bookmark or paste the url, you are not prompted to log back in. This persists even through a reboot. This allows anyone who has access to your pc the capability to go to your history and bypass the admin login. While it is nice to have a bookmark to always jet straight to customers or orders admin, the security nerd in me knows this is a no-no. There are a lot of ways this could be used to say..email the link or copy the link to a thumb drive or other ways to pass the link along and then bypass the login. Just a headsup. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted May 29, 2012 Share Posted May 29, 2012 Hi SuperCharlie, This is normal behavior on any website, not just PrestaShop. This information is stored in your browser's cookies, and it performs as you described above on that browser on that computer until you clear the cookies. For example, I have an Insider account on ESPN.com. This gives me access to premium (paid) content, but the only time I'm prompted to log in is if I'm on another computer or browser, or if I've cleared my cookies on that original browser. This is how most websites work, so I'm not quite sure what the concern would be when it comes to PrestaShop. At the same time, I just replicated the exact procedure you described on my own bank account, this is something you can find on any website that tracks cookies. On that note, I'm going to go ahead and clear my cookies right now . -Mike Link to comment Share on other sites More sharing options...
SuperCharlie Posted May 29, 2012 Author Share Posted May 29, 2012 Mike, when I tried this last night I opened the link in another browser, (IE) I do development in Firefox. I must have previously logged in with IE since I just cleared my IE cookies and it did not let me in and presented the log in screen. Sorry for the mis-report. I would however suggest expiring the logins after a certain amount of inactivity as it does leave a small hole for opportunity. A lot smaller than I assumed Link to comment Share on other sites More sharing options...
Mike Kranzler Posted May 29, 2012 Share Posted May 29, 2012 No worries, I'm glad that we were able to clear this up! -Mike Link to comment Share on other sites More sharing options...
Dh42 Posted May 30, 2012 Share Posted May 30, 2012 SuperCharlie, You could set your browser to clear cookies on close. At the same time under the preferences tab you can set the lifetime for the cookies too. Link to comment Share on other sites More sharing options...
.png.022b5452a8f28f552bc9430097a16da2.png)
Recommended Posts