Why would authorization logic on OpenCart Admin Panel design like this (weired)?

Question

We have lots of authentication and authorization methods to use (OAuth, 2FA, etc.) to ensure the security of our account on e-commerce platform. I am recently had a close look on the admin login logic of OpenCart 3.0.2.0 and try to figure out why the authorization logic design like this:

1. Storage the user_token in session table in DB (Cool)
2. Storage a logged status in PHP memory (Cool)
3. Storage the user_token in admin user's browser (Cool)
4. Give a duration for the token to expire (Cool)
5. Keep carrying the user_token on the URL GET variable everywhere (???)

We could check if the user_token from the admin user is valid and has in our session table in DB (which is checked when log in), then we could keep track the logged status in PHP memory, also we can check if this session is expired.

The question is: Why do we still need keeping user_token on the url get variable everywhere?

Answer 1

The user_token variable was added later on after a discussion on the internet about this security flaw.

The idea of a token was to prevent a hacker from sending a user a link with malicious code in the url that would use the Admins authenticated session to hack the opencart admin panel.

With the token in place, OpenCart checks it and logs out the admin in case the token is incorrect.