[ZBX-7059] Remove sid from frontend URL's Created: 2013 Sep 26  Updated: 2020 Jul 16  Resolved: 2013 Sep 29

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 2.0.8
Fix Version/s: None

Type: Defect (Security) Priority: Trivial
Reporter: Cristian Assignee: Unassigned
Resolution: Won't fix Votes: 0
Labels: security, sid
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the times of url rewrite I feel like in 1990 ages when I see the frontend has params with sid included.

I won't comment that we have query params used instead of "friendly" url's but adding sid to url's is annoying, a lot when trying to give someone else an url from frontend.

Correct me but this "feature" is from app ?

 Comments   
Comment by Oleksii Zagorskyi [ 2013 Sep 27 ]

Rich has an answer to this question.
I still not very understand why we need the SID there, even after Rich's explanation

Comment by richlv [ 2013 Sep 27 ]

zalex, damn, come to riga, i'll demonstrate ;D

i know why we need to pass the sid, but i'm not sure whether we could do it in post (?), which this issue is about

Comment by Cristian [ 2013 Sep 27 ]

I see Zabbix frontend is already storing the PHPSESSID plus a zbx_sessionid (as cookies). Why are needed so many Session id's ? Beside that SID from GET params.

Too many and outdated coding of this part probably.

Comment by Alexei Vladishev [ 2013 Sep 29 ]

Passing SIDs is the only way how to deal with XSS (cross site scripting) attacks. We cannot pass it in POST.

Anyway I do not think the issue reports any bugs, I am closing it. Feel free to re-open if you do not agree.

Comment by Sorin Sbarnea [ 2014 Apr 02 ]

That's not trivial and it hurts accessibility and usability of the application.

This does affect the ability to share links to different screens.

Comment by Sorin Sbarnea [ 2014 Apr 02 ]

"Passing SIDs is the only way how to deal with XSS" it's quite a false statement.

Comment by Oleksii Zagorskyi [ 2015 Mar 04 ]

Just a note: the SID was used for Dashboard page until 2.2 (including). Correct SID was required to open the page.
But starting from 2.4 - it's ignored on the page (ZBX-2570), and in trunk (for 3.0) it's missing already when opening the page.
Tested on 2.2.9rc1-52288 and 2.4.5rc1-52414

Comment by Cristian [ 2015 Mar 04 ]

I do hope SID will dissapear from URL's anyway, ignored or not...

Maybe we can hope for user-friendly links ?

Generated at Wed Jun 03 19:31:13 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.