@mahesh978 opened this Issue on March 7th 2018

we configured piwik on wamp server. but we are facing issue regarding the token. we are using burp tool for testing purpose when user logout from piwik. if he again visit the same page he can access all the details.
can we have solution to hide or remove auth_token from piwik.

@tsteur commented on March 7th 2018 Member

I am not quite sure what you mean. Do you log in the user? The regular way? The token_auth is like a combination of username and password and using this it is possible to access data. Every user has a token_auth which is currently expected. Did you mean you want to hide or remove the token_auth from the Piwik UI in the personal settings? This is currently not really possible yet as the token would be possibly still visible in the source of the website (eg right click View Page Source). We will eventually remove it from the source of the site to improve security even further, then it would make sense to also add a feature to not show the token to the user in the UI 👍
There are some other work arounds though maybe. For example every time the user logs out, you could create a new token_auth. In case the user is not logged in, you could even do this for example one hour after the last action or something.

Apart from this I'm not quite sure why the user is not supposed to be able to access data with the token when the user can also just log in anyway?

@mahesh978 commented on March 8th 2018

thanks @tsteur for your reply.
my question is simple when we Login to piwik. one piwik_auth cookie is getting generated which is same for a user. with the cookie after logout also user can visit the same page without using Login credentials and he can do all operations.
we tested with burp tool i attached image of the tool after logout.
Burp tool Image
left hand side we can see all the cookies and right hand side the html for the page so directly we can browse the page. as security is main concern for us.
is there any way to hide Authentication token as i'm new to piwik so i don't know complete features.

@fdellwing commented on March 8th 2018 Contributor

As @tsteur mentioned, this is working as intended. The token_auth is an alternative way to login into Matomo and should be threated with the same care as the password.

@mahesh978 commented on March 8th 2018

yes but i don't think it is the proper way for some secured sites as anyone having access to the browser can get Auth_token without sharing. and with a get request we will directly get an Auth_token.

@tsteur commented on March 8th 2018 Member

Now I know what you mean @mahesh978 . Check out https://github.com/matomo-org/matomo/pull/12208 👍 I'll close this now as answered but feel free to reopen or comment on that issue.

This Issue was closed on March 8th 2018
Powered by GitHub Issue Mirror