New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Never send token_auth as GET parameter, but send it as POST instead #7349
Comments
Note: this is already done for Ajax requests done in the UI, was done in #3359 |
Note that we can also use HTTP headers to pass the token. I don't know if there's any reason to prefer one method to the other though. |
After having a look, we have for example Amazon and GitHub that use the official One advantage I see with this is that you are not forced to use POST requests: you can keep using GET, but also any other HTTP method. So this would be necessary if we ever want to do REST, so I think using headers is better because it would be forward compatible. |
quick note: the change in this issue would not force to use POST or GET, as already Piwik API will work when called on POST or GET (either will work). currently ajax requests in the UI use POST (to hide the token_auth) and core:archive command use GET. |
It would "force" to use POST if you want to keep the token secure though. |
To clarify: this issue is only about controlling within the Piwik In general, we cannot force to use POST since already thousands of users |
Yes the GET method with URL parameter would still work in any case.
I understand but I don't see how it affects POST vs headers. We could change all requests in Piwik itself to use POST, but we could also change them to use headers for the token (and add support for that in the API). I believe going the "headers" way is better because it would allow us to move more easily towards rest. If we just do POST instead of GET everywhere inside Piwik, that's going the opposite way of rest. E.g. using POST to get information doesn't make sense in HTTP. |
Ok I now understand your point, that we should not use POST because it's not the way of rest. +1 for that and for |
@mattab could you clarify if this affects using widgets? It seems only anonymous access would keep widgets useful as otherwise widgets would require including the token in the URL exposing it (in code, logs, etc.). Correct me if I am wrong. |
Looking through my access_log recently reminded me of a comment @tsteur made in #14099:
I just noticed the token_auth is shown in access_logs anytime the PHP Tracking Web API client (Method 2: HTTP Request) is used. For example, I see a bunch of these in my access_log:
According to Tracking HTTP API:
However, it's not clear how to send these via POST when using PiwikTracker (instead of CURL). I haven't dug into Matomo's code but shouldn't the PiwikTracker be using POST so the token_auth doesn't show up? Is there a way to force PiwikTracker to use POST? Here's some basic scrubbed code I'm using:
|
I suggest you create an issue in the Matomo PHP Tracker for this: https://github.com/matomo-org/matomo-php-tracker/ |
This one might be done? |
Yes. The UI shouldn't be sending the token_auth as GET anywhere anymore. |
The goal of this issue is to ensure that in Piwik core, including the
core:archive
cron task and other logic, we will not send thetoken_auth
as a GET parameter. Instead we should send with POST thetoken_auth
so that it does not show up in logs and whenever the GET URL is outputThis follows up #5277 and #7301
Also related to #4171
The text was updated successfully, but these errors were encountered: