Skip to main content
Solved

Extra Parameters in Attachment URL

  • August 22, 2022
  • 4 replies
  • 39 views
M
Forum|alt.badge.img+13

Hi - I recently noticed that the URLs for attachments in my base are ‘sometimes’ exported with additional parameters that looks something like this:

&userId=usrRGFsp5k3BVKxoz&cs=5df56hubdtrt3673b79d

I’d prefer just the basic URL, and am also concerned that exposing the UserID is a security flaw - since I’ve shared these asset links, usually images, on a public platform without inspecting the URL closely.

I am using the API (via pyairtable) to get these URLs. Sometimes the extra parameters are included, and sometimes they’re not. I haven’t been able to ascertain what is causing the different outcomes.

Has anyone experienced this, or had similar issues?

Thanks!

Best answer by Bill_French

The user ID parameter is likely your user ID, but it’s not a security flaw. It is anonymized (doesn’t reveal your identity), and it does not represent an ID used to gain access to Airtable. It is there purely for tracking purposes.

The cs parameter is typically a session ID; also innocuous.

Then your app needs to parse away these parameters.

Any rendering of URLs with these parameters is ignored by the browser, but more importantly (as @ScottWorld makes clear), you need to eliminate CDN URL dependencies from your process in the next few months or face some surprises. Furthermore, any and all URLs shared in the wild will become invalid.

Depending on your business case and application architecture, you might need one of these.

4 replies

ScottWorld
Forum|alt.badge.img+35
  • ScottWorld
  • Genius
  • 9808 replies
  • August 23, 2022

I’m not sure about the extra parameter — I would ask support@airtable.com to see if they know anything about that.

But note that as of November 8th, you won’t be able to share these attachment links on public platforms for more than 2 hours, because the links will expire after that:

B
Forum|alt.badge.img+19
  • Bill_French
  • Inspiring
  • 3263 replies
  • Answer
  • August 23, 2022

The user ID parameter is likely your user ID, but it’s not a security flaw. It is anonymized (doesn’t reveal your identity), and it does not represent an ID used to gain access to Airtable. It is there purely for tracking purposes.

The cs parameter is typically a session ID; also innocuous.

Then your app needs to parse away these parameters.

Any rendering of URLs with these parameters is ignored by the browser, but more importantly (as @ScottWorld makes clear), you need to eliminate CDN URL dependencies from your process in the next few months or face some surprises. Furthermore, any and all URLs shared in the wild will become invalid.

Depending on your business case and application architecture, you might need one of these.

M
Forum|alt.badge.img+13
  • Matt_Kennedy1
  • Author
  • Known Participant
  • 28 replies
  • August 23, 2022

I’m not sure about the extra parameter — I would ask support@airtable.com to see if they know anything about that.

But note that as of November 8th, you won’t be able to share these attachment links on public platforms for more than 2 hours, because the links will expire after that:


Yikes. Didn’t know about that. Thanks for pointing it out.

M
Forum|alt.badge.img+13
  • Matt_Kennedy1
  • Author
  • Known Participant
  • 28 replies
  • August 23, 2022

I’m not sure about the extra parameter — I would ask support@airtable.com to see if they know anything about that.

But note that as of November 8th, you won’t be able to share these attachment links on public platforms for more than 2 hours, because the links will expire after that:


Looks like I have some homework to do!


Terms & ConditionsAccessibility statement