Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Securing Admin Page Under Windows


TT2by2

Recommended Posts

I got through my first stumbling stone in a previous thread. Now another issue I am concerned about.

 

How does one secure the admin section? I see no place to set an administrative password or secure it in any way. Anyone can to to the /admin section and poke around freely. What's the best way to do this? I'm running IIS on win2k Advanced Server.

 

Thanks again!

Link to comment
Share on other sites

First thing to do is to rename the 'admin' folder to something unique, which no one else can guess. Then go into the admin(newname)/includes/configure.php and you'll find several file pathways to /admin/ and you need to change these to refllect the new name. This will give you some protection.

 

Next, go to your web hosting control panel, and see if they have a 'Password Protect' or 'Protect Directories' feature and if they do then use that to protect the renamed 'admin' folder.

 

Finally, if you have ssl, even a shared ssl, then you can set all file pathways to http:// to https:// in your admin/includes/configure.php file, and this will put all of your 'admin' folder behind ssl encryption.

 

Vger

Link to comment
Share on other sites

Thanks for the response. I host my own, and have local access to the server. I don't have a web-based control panel, as I don't offer public hosting, and didn't see the need for it. I have changed the /admin path to a very unique name, and nobody could possibly guess it. I do not have SSL config'd yet. Is there a way I could password protect the admin directory only, leaving the rest of the web open through the IIS settings? I guess I'll have to experiment with that. Any other ideas I missed would be helpful though.

 

Thanks

Link to comment
Share on other sites

Place a .htaccess file in the 'admin' folder with code that requires a user name and password. Do a search on the web and you'll come up with plenty of examples.

 

Vger

Thanks for the response.  I host my own, and have local access to the server.  I don't have a web-based control panel, as I don't offer public hosting, and didn't see the need for it.  I have changed the /admin path to a very unique name, and nobody could possibly guess it.  I do not have SSL config'd yet.  Is there a way I could password protect the admin directory only, leaving the rest of the web open through the IIS settings?  I guess I'll have to experiment with that.  Any other ideas I missed would be helpful though.

 

Thanks

Link to comment
Share on other sites

I don't have a web-based control panel, as I don't offer public hosting, and didn't see the need for it. 

 

Neither did I... until I stumbled across Jamie Cameron's Webmin. Webmin is an easy, browser-based Linux administration system - it's simple to use, yet packs quite a punch. I come from an education background and was looking for ways to simplify my life as well as remove some of my newbie server administration frustrations.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...