Post by GWShop » Thu Jul 15, 2021 11:39 pm

When I am logged in and I browse the admin panel and whenever I open the Site.com/Admin link I always see the same message.

Is this on purpose? I have used 3 other CMS for 16 years and that's the first time I encounter this. If on the previous tab of my browser I have spent 20 minutes to create a new product, can you imagine what will happen if I do the mistake and click on the Site.com/Admin on another tab? I will create a new session and all previous work will be unusable, so I will have to copy-paste everything and re-create that product!

This is causing a massive problem and bottleneck to all of us. Solve it in the next update please.

Attachments

Gameworld-admin-login.jpg

Gameworld-admin-login.jpg (34.81 KiB) Viewed 1655 times


New member

Posts

Joined
Mon May 24, 2021 1:46 am

Post by Majnoon » Fri Jul 16, 2021 12:10 am

GWShop wrote:
Thu Jul 15, 2021 11:39 pm
When I am logged in and I browse the admin panel and whenever I open the Site.com/Admin link I always see the same message.

Is this on purpose? I have used 3 other CMS for 16 years and that's the first time I encounter this. If on the previous tab of my browser I have spent 20 minutes to create a new product, can you imagine what will happen if I do the mistake and click on the Site.com/Admin on another tab? I will create a new session and all previous work will be unusable, so I will have to copy-paste everything and re-create that product!

This is causing a massive problem and bottleneck to all of us. Solve it in the next update please.
It seems you have allot of trouble with opencart version , just know that most of the time the latest version are not stable. I will suggest you to download the Max version and give it shot.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by OSWorX » Fri Jul 16, 2021 1:21 am

GWShop wrote:
Thu Jul 15, 2021 11:39 pm
When I am logged in and I browse the admin panel and whenever I open the Site.com/Admin link I always see the same message.

Is this on purpose?
1. no, is not normal - message should be displayed only after a defined timeframe (session is expired then)
2. please read this here before continuing: viewtopic.php?f=176&t=200480

Following your posts here, I see that you have only troubles.
Question is: why and because of what?

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member
Online

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ADD Creative » Fri Jul 16, 2021 6:35 am

GWShop wrote:
Thu Jul 15, 2021 11:39 pm
When I am logged in and I browse the admin panel and whenever I open the Site.com/Admin link I always see the same message.

Is this on purpose? I have used 3 other CMS for 16 years and that's the first time I encounter this. If on the previous tab of my browser I have spent 20 minutes to create a new product, can you imagine what will happen if I do the mistake and click on the Site.com/Admin on another tab? I will create a new session and all previous work will be unusable, so I will have to copy-paste everything and re-create that product!

This is causing a massive problem and bottleneck to all of us. Solve it in the next update please.
OpenCart uses a user_token in the admin URL for security. If the URL does not contained the correct user_token you will be logged out. If the user_token was to be removed it would have have a similar security mechanism implemented in a different way. I can see the developer wanting to do this.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by by mona » Fri Jul 16, 2021 8:29 pm

@ADD_Creative

To be logged in on any tab as long as you are logged on one tab with something like:

admin/controller/common/login.php
add:

Code: Select all

if (!empty($this->session->data['user_token'])) {
			$this->response->redirect($this->url->link('common/dashboard', 'user_token=' . $this->session->data['user_token'], true));
		}
after:

Code: Select all

$this->load->model('user/user');

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by ADD Creative » Sat Jul 17, 2021 11:20 pm

by mona wrote:
Fri Jul 16, 2021 8:29 pm
@ADD_Creative

To be logged in on any tab as long as you are logged on one tab with something like:

admin/controller/common/login.php
add:

Code: Select all

if (!empty($this->session->data['user_token'])) {
			$this->response->redirect($this->url->link('common/dashboard', 'user_token=' . $this->session->data['user_token'], true));
		}
after:

Code: Select all

$this->load->model('user/user');
I would move your redirect. You are doing it before the username and password has been validated. So you have a situation where it will accept any values. Probably not major as the user_token is cleared on logout, but you are creating a possible weakness as you are purely relying on the session security. Which isn't the best as there is no regeneration, httponly, secure or leaking of data due to lack of cache control headers.

Maybe you want something like, changing.

Code: Select all

$this->session->data['user_token'] = token(32);
To.

Code: Select all

if (empty($this->session->data['user_token'])) {
	$this->session->data['user_token'] = token(32);
}
I would still be concerned about the lack of regeneration of the user_token, given the other weaknesses.

I would probably also remove the redirect to $this->request->post['redirect'] after then, given how many actions can be performed with a GET.

Really every action that results in a change should be done using a POST with a secure token in the post data, not using a token in the URL. Although I would still keep URL token for added security. I can't see it ever happening.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by GWShop » Fri Jul 23, 2021 12:49 am

OSWorX wrote:
Fri Jul 16, 2021 1:21 am
GWShop wrote:
Thu Jul 15, 2021 11:39 pm
When I am logged in and I browse the admin panel and whenever I open the Site.com/Admin link I always see the same message.

Is this on purpose?
1. no, is not normal - message should be displayed only after a defined timeframe (session is expired then)
2. please read this here before continuing: viewtopic.php?f=176&t=200480

Following your posts here, I see that you have only troubles.
Question is: why and because of what?
Because I was using other CMS for my whole life , I am new and also you don't have adequate/capable QA for testing a version and there are several issues. I am doing the QA for free as you see, as others do.

Also I post here in the Forums so that I don't spam you with emails.

I use latest version v.3.0.3.7
So the last 2 users gave the answer. Can you implement it in 3.0.3.8 ?

New member

Posts

Joined
Mon May 24, 2021 1:46 am
Who is online

Users browsing this forum: ravikumar22, Semrush [Bot] and 79 guests