Admin - Add Secret Key to URLs - Yes is default setting
Whenever I use admin, the url is too long due to this option.
Do you recommend to set 'yes' for this option and can I know the reason?
Asked
Active
Viewed 7,717 times
2 Answers
7
This option is necessary to prevent against CSRF attacks:
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
There is no speed benefit to disabling this option and it opens your store up to potential attack. I recommend to leave this option enabled.
Sources:
philwinkle
- 35,751
- 5
- 91
- 145
-
1There is a huge speed benefit to the login process when your cache is large. In 1.7, our cache was multiple gigabytes, and login to the admin timed out repeatedly. I either have to empty the cache before every login, or turn off this "feature." I hope someone finds a solution that preserves security and allows for fast login. See here: http://www.code007.ro/magento-admin-login-process-extremely-slow/ – Buttle Butkus Jun 17 '15 at 02:29
-
I had a problem with an amasty extension not saving properly. I disabled that feature and now it works. I enabled it again and it still works. So if you have trouble saving, then disable the feature and try it again, then reenable this feature. – Black Jan 26 '21 at 13:29
5
Actually, there is a big benefit from disabling - if you are woking in team, it's good idea to disable this feature in development process and enable it back when it goes to production. If this option is enabled you are unable to pass admin links to other coleagues, tickets, chat, etc.
Maxim Krušina
- 151
- 1
- 3