1 2014-04-24 17:19:24 (edited by hjet 2014-04-26 13:33:52)

Topic: Protect from direct access to the admin

open file admin/index.php
before that line

    // Display login template
    require 'themes'. DS . Option::get('theme_admin_name') . DS . 'login.template.php';

add this

    // new link to admin area - http://yoursite/admin/?test
    // sha1('test') = a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
    reset($_GET);
    $secretkey = 'test';
    if( !array_key_exists($secretkey, $_GET) && Cookie::get('key') != sha1($secretkey) && sha1(key($_GET)) != sha1($secretkey) ) {
        $end = explode('/',$_SERVER['REQUEST_URI']);
        $end = $end[array_pop(array_keys($end))];
        header('location: '.Option::get('siteurl').'аdmin/'.$end); // redirect to a nonexistent page (the first letter "а" in the word "аdmin" - on cyrillic), preserving all link parameters entered by the user
    }else{
        Cookie::set('key', sha1($secretkey), 600);
    }

Re: Protect from direct access to the admin

In English Please!

Site | GitHub | Create forums / solutions based on PunBB / Monstra / OGMA

Plug-ins are distributed Creative Commons Attribution-NonCommercial 4.0

Re: Protect from direct access to the admin

I've try your solution, but there is few limitation found:

  • Only on first login you can't access the URL without /admin/?test. Once login, then logout, the session is not destroy. Now I can login without /admin/?test

  • Using $_GET is not advisable (correct me if I'm wrong)

Monstra 3.0.1

fadlisaad's Website

4 2014-12-01 00:31:40

Re: Protect from direct access to the admin

Really works! ... Thank you for taking the time to do all this. wink

5 (edited by Freddynic159 2014-12-01 01:26:01)

Re: Protect from direct access to the admin

fadlisaad wrote:

I've try your solution, but there is few limitation found:

  • Only on first login you can't access the URL without /admin/?test. Once login, then logout, the session is not destroy. Now I can login without /admin/?test

This is because the cookie has a duration of 600 seconds = 10 minutes (time that can be accessed without /admin/?test).

You can change this value in the line:

Cookie::set('key', sha1($secretkey), 600);

but is not necessary because the cookie is created only when you log in. tongue

Re: Protect from direct access to the admin

Good job  I test in Morfy Panel also and working well, thanks to share

..::: Moncho Varela ::::..   ..::: @Nakome ::::..   ..::: Github ::::..

nakome's Website

Re: Protect from direct access to the admin

Freddynic159 wrote:

You can change this value in the line:

Cookie::set('key', sha1($secretkey), 600);

but is not necessary because the cookie is created only when you log in. tongue

Great work!

Monstra 3.0.1

fadlisaad's Website

Re: Protect from direct access to the admin

fadlisaad wrote:

Great work!

you're welcome! ... we are here to help, friend. wink