Currently, many admin features use ajax requests with GET parameters. Parameters can include the token_auth and therefore is sensitive information. The requests to piwik are usually logged in the apache/nginx/iis access logs.
Let's do a quick audit of the piwik source code, and change all these requests to POST, post params are not logged.
Created a patch changing some ajaxRequest.type's to POST
Attachment: rm debug
(In ) refs #3359 use POST instead of GET requests / do not send token_auth within query strings
(In ) fixes #3483, refs #3359 use GET to query for widgets as query string is used to build urls for sparklines
(In ) fixes #3487, refs #3359 refactoring ajax requests to use a global method to query for module actions
If I remember correctly, I used GET in the helper method because something didn't work with POST. This change should be very well tested (i.e. every ajax request that is impacted by it).
I think there was a problem with multi row evolution but maybe also somewhere else.
Also, I think I remember a problem with UTF8 urls and page titles in Transitions when using POST.
Will do some testing...
(In ) refs #3359: if the user passes a date to piwikHelper.ajaxCall, don't manipulate it in case of period=range
I ended up not doing much testing because piwikHelper.ajaxCall looks a little weird to me... Most parameters are sent as URL and POST parameters which will most likely cause confusion/problems at some point.
How does PHP handle that anyway? Are the URL parameters in $_GET and the POST parameters in $_POST? That would indeed be confusing.
I would suggest to pass everything as URL parameters and only the token as a POST parameter. Having the rest in the logs can be useful if you want to analyze how Piwik is used.
Note to the tester (or myself): two critical parts are (Multi) Row Evolution and Transitions because they rely on the encoding being intact after passing the value back and forth. Test with very long urls, utf8 urls, encoded urls, double encoded and urls with unencoded special characters. Do the same for page titles in Transitions. Also, check what other parts were affected by the change and test those AJAX requests.
Ok. It should be the easiest way just to send the token_auth as POST and the rest as GET parameters. I'll change that, so there shouldn't be anymore problems caused by that.
thanks for your tests on this, it really helps to know about the test cases etc.
Steve, it looks good to only put token_auth as POST!
Are all the other changes safe?
Note to testers: Check if fixing this also fixes the following bug:
(In ) refs #3359 only send token_auth as POST param
(In ) Ping will deploy to demo to test? Refs #3359
(In ) fixes #3265 pass disableLink param to the widgets
refs #3359 use global ajax method to fetch available widgets
(In ) refs #3359 use global ajax method
(In ) refs #3359 use global ajax method
(In ) refs #3359 use global ajax method for datatables
(In ) refs #3359 use global ajax method for goal management
(In ) refs #3359 do not send empty params in datatable requests (as they should not be needed)
(In ) refs #3359 use global ajax method for SEO widget
(In ) refs #3359 use global ajax method for privacy settings
(In ) refs #3359 moving ajax requests to a new ajax helper with more functionality as the old functions
I think this is related to this ticket: When using a date range on the dashboard, some widgets don't work. The problem is that only the end date is sent and not "start,end".
Steve, could you take a look at this?
I guess that should already be fixed in . But I'll take a closer look at that later.
That change was after the latest beta. So you're probably right, Steve.
Matt, could you release another one? Is there anything else in trunk that is unstable at the moment?
(In ) Will release a new beta (sorry for delay @Timo) Refs #3359
Beta is available at: http://piwik.org/piwik-1.9.3-b9.zip
Note: different path than usual while we're finalizing security improvements.
(In ) refs #3359 use new ajaxHelper for PDFReport management
(In ) refs #3359 use new ajaxHelper for general settings
(In ) refs #3359 use new ajaxHelper for sitesmanager
(In ) refs #3359 use new ajaxHelper for usersettings
(In ) refs #3359 use global ajax helper for usersmanager
(In ) refs #3359 use global ajax helper for mobilemessaging
(In ) refs #3359 marked some (now unused) methods as deprecated; small improvements
(In ) refs #3359 small fix
(In ) refs #3359 no need to set token_auth as get param as it will be sent as post
Note: just saw that the real time live queyr every 10 seconds contain the token auth. Would be awesome to finish the refactoring or apply the change to the Live plugin.
Btw SteveG awesome work& code on this one! Nice series of commits in this ticket ;-)
Live plugin was fixed in 
PS: post commit hooks are temporarily broken (under investigation)
Nice refactoring & security improvement!