Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Secure Admin Panel


joanna_seich

Recommended Posts

I've got oscommerce set up and everything's ready to go. The one thing that I'd like to do is secure the admin panel so that it can't be accessed by just anyone. I'm sure there's got to be a contribution or something for this, but I can't find it. Does anyone know what I can use? Thanks!

Link to comment
Share on other sites

There are a few contributions that will do this but they are usually overkill if all you need to do is protect the admin. IN that case, just use an .htaccess file. There is probably an option in your hosts control panel. If you can't find it, contact your host and ask them if there is one. It is better to know this since you may need to change it in the future. If they don't have that option, search the web for how to password protect a directory using .htaccess or let me know and I will PM you a link.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Step by step guide to password protecting your admin panel

 

 

 

This is a guide that I wrote after stumbling through this whole process

 

I am writing it to try and help others that might want to try to give your store better security..

 

 

 

 

 

First thing to do is get your user name and password ready.(have it handy)

 

Next is to make the first of two files

 

 

 

 

 

AuthName "Your adimn Directory"(change to your admin directory name)

AuthType Basic

AuthUserFile /your/path/to/the/folder/admin/.htpasswd ( most important, full path)

AuthGroupFile /dev/null

Require valid-user

 

 

 

 

 

You may need to make a tech ticket to get your full path from your host server this is a must!

 

 

 

Save this file as: htaccess.text

 

 

 

After you upload this file into the directory that you want to password protect.. re-name it

 

To: .htaccess

 

 

 

Next is your password file

 

 

 

Go to Google and put in the search window “htpasswd generator” pick a link

 

And go generate your password, it should look something like this;(using your own user name and password)

 

************************************************************************

 

Bigdog:3.LuK8xxGttl

 

************************************************************************

 

What you have done is encrypt you user name and password..

 

 

 

Now this will be your second file add nothing except the generated code

 

And save it as: htpasswd.text

 

 

 

After you upload it into the same directory as the other file, re-name it to .htpasswd

 

 

 

Congrads you have just password protected your directory..

 

 

 

When this window pops up for you to inter your user name & password enter your Original user name and password..(before encryption)

 

 

Enjoy Trimmer

Link to comment
Share on other sites

Step by step guide to password protecting your admin panel

Enjoy Trimmer

 

Thanks

 

however I have a problem - my server is on windows, not linux.

 

This means that the CHMOD command does not work, so while I have been able (through HELM) to protect my admin folder with a password - I am unable to prevent anyone from downloading my admin.php files which contain the DB username and password.

 

I have edited out the annoying red line at the top which says "this file is accessible" when you access my site but of course this is a bodge.

 

I believe .htaccess is a linux server function, although i am no expert.

 

While there is no security issue with regard to using oscommerce to screw my setups as the folder is protected, someone could possibly access the databsae with my password and fiddle with it.

 

Anyone know how to remedy this?

Link to comment
Share on other sites

Step by step guide to password protecting your admin panel

Enjoy Trimmer

 

Thanks

 

however I have a problem - my server is on windows, not linux.

 

This means that the CHMOD command does not work, so while I have been able (through HELM) to protect my admin folder with a password - I am unable to prevent anyone from downloading my admin.php files which contain the DB username and password.

 

I have edited out the annoying red line at the top which says "this file is accessible" when you access my site but of course this is a bodge.

 

I believe .htaccess is a linux server function, although i am no expert.

 

While there is no security issue with regard to using oscommerce to screw my setups as the folder is protected, someone could possibly access the databsae with my password and fiddle with it.

 

Anyone know how to remedy this?

Link to comment
Share on other sites

Pensive,

I think your exactly right, I think first off I would changer the name of the admin panel to some not easy to find.

then do a search on password file protection on windows servers I'm sure they are something the MS knowledge base.

 

sorry I couldn't be more help.. we tend to bone up on what we are trying to run..

 

Trimmer

Link to comment
Share on other sites

  • 3 weeks later...

Trimmer-

 

Thanks for simplifying this process. I have been reading countless threads on securing the admin, and see it as a daunting task. Let me get this straight. So I create a file and all it has is this:

 

AuthName "Your adimn Directory"(change to your admin directory name)
AuthType Basic
AuthUserFile /your/path/to/the/folder/admin/.htpasswd ( most important, full path)
AuthGroupFile /dev/null
Require valid-user

 

Then I create another file with my username and password all mixed up. How does the file know what exactly my username and password is? Shouldn't I have to place it in the .htaccess file?

 

Thanks again for this thread.

Link to comment
Share on other sites

btw what is a "tech ticket"?

 

I tried doing this but received an internal error. perhaps discovering what a tech ticket is could solve my problem? If my path is /admin/.htaccess would I have to do catalog/admin/.htaccess? How could a tech ticket take the path back even further?

 

Thanks.

Link to comment
Share on other sites

Pensive,

I think your exactly right, I think first off I would changer the name of the admin panel to some not easy to find.

then do a search on password file protection on windows servers I'm sure they are something the MS knowledge base.

 

sorry I couldn't be more help.. we tend to bone up on what we are trying to run..

 

Trimmer

 

Thanks trimmer.

 

FYI, there is no security issue. All you have to do is password protect the admin folder - this prevents people to access any of the admin fucntionality. My concerns about the password contained within the PHP file are unfounded. When a php file is read, the server turns it into an html file, so no information can be gleaned by any would-be hackers.

 

They would have to hack the FTP access to get the password information.

 

.htaccess issues are not a problem - my ISP assures me there is no way to access this sort of thing without the passwords already being known. FTP access requires a password regardless of file read/write protection on windows servers. I think they are equally secure to linux servers.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...