- Admin Backend Cross Site Request Forgery Vulnerability
This article show you a necessary trick to improve your Magento installation security.
A new secret key is created every time you login to Magento Admin. So, there will be a unique key (32 chars long) for each session of your Magento admin login. This key is appended to the admin URL as http://your-magento-admin-url/key/743c37b1…adf6588/
This is basically added for security reason. In their release note, Magento say that they added secret key to URL for CSRF (Cross-site request forgery)Attack Prevention.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.
You can learn more about CSRF here:- http://en.wikipedia.org/wiki/Cross-site_request_forgery
Looking for improvement for your Magento Store?
Sometime you may want to access admin URL without the secret key. For this, you can disable the secret key from admin URL.
Here is how you do it:-
– Login to admin
– Go to System -> Configuration -> ADVANCED -> Admin -> Security -> Add Secret Key to URLs
– Select No
– Save Config
You are done. You will not see the secret key in admin URL nowonwards.
Hope this helps. Thanks.