We have lots of authentication and authorization methods to use (OAuth, 2FA, etc.) to ensure the security of our account on e-commerce platform.
I am recently had a close look on the admin login logic of
OpenCart 18.104.22.168 and try to figure out why the authorization logic design like this:
- Storage the user_token in session table in DB (Cool)
- Storage a logged status in PHP memory (Cool)
- Storage the user_token in admin user's browser (Cool)
- Give a duration for the token to expire (Cool)
- Keep carrying the user_token on the URL GET variable everywhere (???)
We could check if the user_token from the admin user is valid and has in our session table in DB (which is checked when log in), then we could keep track the logged status in PHP memory, also we can check if this session is expired.
The question is: Why do we still need keeping user_token on the url get variable everywhere?