Magento – Disable / remove Secret Key from Admin / backend URL

  • Admin Backend Cross Site Request Forgery Vulnerability

This article show you a necessary trick to improve your Magento installation security.
A new secret key is created every time you login to Magento Admin. So, there will be a unique key (32 chars long) for each session of your Magento admin login. This key is appended to the admin URL as http://your-magento-admin-url/key/743c37b1…adf6588/

This is basically added for security reason. In their release note, Magento say that they added secret key to URL for CSRF (Cross-site request forgery)Attack Prevention.

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

You can learn more about CSRF here:- http://en.wikipedia.org/wiki/Cross-site_request_forgery

Looking for improvement for your Magento Store?

Facebook Connector Extension
Product related article extension
Magento Offer popup on exit extension
Unlimited Slideshow Magento Extension
Light Checkout in One Step Magento Extension

Sometime you may want to access admin URL without the secret key. For this, you can disable the secret key from admin URL.

Here is how you do it:-

– Login to admin
– Go to System -> Configuration -> ADVANCED -> Admin -> Security -> Add Secret Key to URLs
– Select No
– Save Config

You are done. You will not see the secret key in admin URL nowonwards.

Hope this helps. Thanks.

Comments Closed