Save the date! Join us on October 16 for our Product Ops launch event. Register here.
Aug 22, 2022 01:59 PM
Hi - I recently noticed that the URLs for attachments in my base are ‘sometimes’ exported with additional parameters that looks something like this:
&userId=usrRGFsp5k3BVKxoz&cs=5df56hubdtrt3673b79d
I’d prefer just the basic URL, and am also concerned that exposing the UserID is a security flaw - since I’ve shared these asset links, usually images, on a public platform without inspecting the URL closely.
I am using the API (via pyairtable) to get these URLs. Sometimes the extra parameters are included, and sometimes they’re not. I haven’t been able to ascertain what is causing the different outcomes.
Has anyone experienced this, or had similar issues?
Thanks!
Solved! Go to Solution.
Aug 23, 2022 06:07 AM
The user ID parameter is likely your user ID, but it’s not a security flaw. It is anonymized (doesn’t reveal your identity), and it does not represent an ID used to gain access to Airtable. It is there purely for tracking purposes.
The cs parameter is typically a session ID; also innocuous.
Then your app needs to parse away these parameters.
Any rendering of URLs with these parameters is ignored by the browser, but more importantly (as @ScottWorld makes clear), you need to eliminate CDN URL dependencies from your process in the next few months or face some surprises. Furthermore, any and all URLs shared in the wild will become invalid.
Depending on your business case and application architecture, you might need one of these.
Aug 22, 2022 05:39 PM
I’m not sure about the extra parameter — I would ask support@airtable.com to see if they know anything about that.
But note that as of November 8th, you won’t be able to share these attachment links on public platforms for more than 2 hours, because the links will expire after that:
Aug 23, 2022 06:07 AM
The user ID parameter is likely your user ID, but it’s not a security flaw. It is anonymized (doesn’t reveal your identity), and it does not represent an ID used to gain access to Airtable. It is there purely for tracking purposes.
The cs parameter is typically a session ID; also innocuous.
Then your app needs to parse away these parameters.
Any rendering of URLs with these parameters is ignored by the browser, but more importantly (as @ScottWorld makes clear), you need to eliminate CDN URL dependencies from your process in the next few months or face some surprises. Furthermore, any and all URLs shared in the wild will become invalid.
Depending on your business case and application architecture, you might need one of these.
Aug 23, 2022 09:52 AM
Yikes. Didn’t know about that. Thanks for pointing it out.
Aug 23, 2022 09:53 AM
Looks like I have some homework to do!