Help

Re: Extra Parameters in Attachment URL

Solved
Jump to Solution
1694 0
cancel
Showing results for 
Search instead for 
Did you mean: 
Matt_Kennedy1
7 - App Architect
7 - App Architect

Hi - I recently noticed that the URLs for attachments in my base are ‘sometimes’ exported with additional parameters that looks something like this:

&userId=usrRGFsp5k3BVKxoz&cs=5df56hubdtrt3673b79d

I’d prefer just the basic URL, and am also concerned that exposing the UserID is a security flaw - since I’ve shared these asset links, usually images, on a public platform without inspecting the URL closely.

I am using the API (via pyairtable) to get these URLs. Sometimes the extra parameters are included, and sometimes they’re not. I haven’t been able to ascertain what is causing the different outcomes.

Has anyone experienced this, or had similar issues?

Thanks!

1 Solution

Accepted Solutions
Bill_French
17 - Neptune
17 - Neptune

The user ID parameter is likely your user ID, but it’s not a security flaw. It is anonymized (doesn’t reveal your identity), and it does not represent an ID used to gain access to Airtable. It is there purely for tracking purposes.

The cs parameter is typically a session ID; also innocuous.

Then your app needs to parse away these parameters.

Any rendering of URLs with these parameters is ignored by the browser, but more importantly (as @ScottWorld makes clear), you need to eliminate CDN URL dependencies from your process in the next few months or face some surprises. Furthermore, any and all URLs shared in the wild will become invalid.

Depending on your business case and application architecture, you might need one of these.

See Solution in Thread

4 Replies 4

I’m not sure about the extra parameter — I would ask support@airtable.com to see if they know anything about that.

But note that as of November 8th, you won’t be able to share these attachment links on public platforms for more than 2 hours, because the links will expire after that:

Bill_French
17 - Neptune
17 - Neptune

The user ID parameter is likely your user ID, but it’s not a security flaw. It is anonymized (doesn’t reveal your identity), and it does not represent an ID used to gain access to Airtable. It is there purely for tracking purposes.

The cs parameter is typically a session ID; also innocuous.

Then your app needs to parse away these parameters.

Any rendering of URLs with these parameters is ignored by the browser, but more importantly (as @ScottWorld makes clear), you need to eliminate CDN URL dependencies from your process in the next few months or face some surprises. Furthermore, any and all URLs shared in the wild will become invalid.

Depending on your business case and application architecture, you might need one of these.

Yikes. Didn’t know about that. Thanks for pointing it out.

Looks like I have some homework to do!