-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After logout also user can access site using authentication token #12604
Comments
I am not quite sure what you mean. Do you log in the user? The regular way? The token_auth is like a combination of username and password and using this it is possible to access data. Every user has a token_auth which is currently expected. Did you mean you want to hide or remove the token_auth from the Piwik UI in the personal settings? This is currently not really possible yet as the token would be possibly still visible in the source of the website (eg right click View Page Source). We will eventually remove it from the source of the site to improve security even further, then it would make sense to also add a feature to not show the token to the user in the UI 👍 Apart from this I'm not quite sure why the user is not supposed to be able to access data with the token when the user can also just log in anyway? |
thanks @tsteur for your reply. |
As @tsteur mentioned, this is working as intended. The token_auth is an alternative way to login into Matomo and should be threated with the same care as the password. |
yes but i don't think it is the proper way for some secured sites as anyone having access to the browser can get Auth_token without sharing. and with a get request we will directly get an Auth_token. |
Now I know what you mean @mahesh978 . Check out #12208 👍 I'll close this now as answered but feel free to reopen or comment on that issue. |
we configured piwik on wamp server. but we are facing issue regarding the token. we are using burp tool for testing purpose when user logout from piwik. if he again visit the same page he can access all the details.
can we have solution to hide or remove auth_token from piwik.
The text was updated successfully, but these errors were encountered: