Ticket address is public?

[jkook]

Hi.

I just found out if I copy and paste ticket address, everyone can see the contents of tickts.

Is it normal?

 

Because if it's public, it can be crawled by google, so I shouldn't write an account information or password.

One of my clients asked password, that's why I am wondering,

[chickendippers]

The URL's aren't public though, they are only available in the client area which requires a login. I don't see a way for them to be crawled.

[minadreapta]

NO, ticket viewing doesn't require login.

[chickendippers]

The point I'm making is that the URLs can't be crawled.

[minadreapta]

the big issue is that even if search engines don't crawl the links, some other scripts do.

 

like traffic monitors/scripts.

 

i recently found some tickets indexed by a traffic monitor i use on my pages.

 

i had to prevent this, and I wrapped the source code of supportticketview.tpl between:

 

{if $loggedin} 

and

{else}
You must be logged in
{/if}

 

that seemed to do the trick, however, the ticket can be viewed by another user if logged in

[Matt]

If you do that, that then makes your ticket system unusable for non registered users. The ticket number/secret key combo should be enough to keep search engines from indexing it unless the user goes and posts their unique ticket link in public somewhere.

 

Matt

[TWR Web Design]

Wouldn't it just make sense to put a no follow meta tag on the page for support tickets?

[minadreapta]

i use a traffic monitor on my website.

 

the script goes into footer.tpl.

 

of course, the script indexes the ticket pages.

 

there is no way of removing it from some pages is it?

 

can i use footer2.tpl for some pages and footer.tpl on others?

 

is there any kind of discrimination possible in the footer.tpl? like:

 

{if $page = supportticketview}
do nothing
{else}
insert the monitor script
{/if}

[minadreapta]

oh, i just noticed the non-registered visitor can submit a ticket, he just doesn't have access to view it.

 

but he can get a reply by email, right?

[jkook]

so, what's conclusion?

Shouldn't I include any account information?

[minadreapta]

pretty much yes.

 

the idea is that even if the search engines don;t index that pages, the pages are public.

 

hard to get to, but public.

 

but although you don't include account info, the customer might do it.

[pinoguin]

*bump* I just tested and found out the issue to be real.

 

A customer asked me if my ticketing system is being crawled by google ... I understand the issue now, I thought it was blocked when not logged in. At least those tickets are hard to access by a search engine...

 

But do you think hackers who knows how whmcs works be able to figure out how to generate those ticket id's?

[minadreapta]

i doubt they can generate it.

 

but as I said, i have a traffic monitor and here is some public output for visited pages from last week:

 

http://stat.trafic.ro/stat/megahost/pagini-intrare/saptamana/#stat

 

note the last 3 entries on the bottom:

 

viewticket.php?tid=317657&c=PXjH8bqv

viewticket.php?tid=247167&c=8XbFCEF1

 

these records are public.