joanna_seich Posted May 24, 2007 Share Posted May 24, 2007 I've got oscommerce set up and everything's ready to go. The one thing that I'd like to do is secure the admin panel so that it can't be accessed by just anyone. I'm sure there's got to be a contribution or something for this, but I can't find it. Does anyone know what I can use? Thanks! Link to comment Share on other sites More sharing options...
Jack_mcs Posted May 24, 2007 Share Posted May 24, 2007 There are a few contributions that will do this but they are usually overkill if all you need to do is protect the admin. IN that case, just use an .htaccess file. There is probably an option in your hosts control panel. If you can't find it, contact your host and ask them if there is one. It is better to know this since you may need to change it in the future. If they don't have that option, search the web for how to password protect a directory using .htaccess or let me know and I will PM you a link. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
joanna_seich Posted May 24, 2007 Author Share Posted May 24, 2007 Thank you, thank you, thank you! You were right my host does offer a way to secure url's. That worked out perfectly. Thanks! Link to comment Share on other sites More sharing options...
Guest Posted May 24, 2007 Share Posted May 24, 2007 Step by step guide to password protecting your admin panel This is a guide that I wrote after stumbling through this whole process I am writing it to try and help others that might want to try to give your store better security.. First thing to do is get your user name and password ready.(have it handy) Next is to make the first of two files AuthName "Your adimn Directory"(change to your admin directory name) AuthType Basic AuthUserFile /your/path/to/the/folder/admin/.htpasswd ( most important, full path) AuthGroupFile /dev/null Require valid-user You may need to make a tech ticket to get your full path from your host server this is a must! Save this file as: htaccess.text After you upload this file into the directory that you want to password protect.. re-name it To: .htaccess Next is your password file Go to Google and put in the search window “htpasswd generator” pick a link And go generate your password, it should look something like this;(using your own user name and password) ************************************************************************ Bigdog:3.LuK8xxGttl ************************************************************************ What you have done is encrypt you user name and password.. Now this will be your second file add nothing except the generated code And save it as: htpasswd.text After you upload it into the same directory as the other file, re-name it to .htpasswd Congrads you have just password protected your directory.. When this window pops up for you to inter your user name & password enter your Original user name and password..(before encryption) Enjoy Trimmer Link to comment Share on other sites More sharing options...
Pensive Posted May 24, 2007 Share Posted May 24, 2007 Step by step guide to password protecting your admin panelEnjoy Trimmer Thanks however I have a problem - my server is on windows, not linux. This means that the CHMOD command does not work, so while I have been able (through HELM) to protect my admin folder with a password - I am unable to prevent anyone from downloading my admin.php files which contain the DB username and password. I have edited out the annoying red line at the top which says "this file is accessible" when you access my site but of course this is a bodge. I believe .htaccess is a linux server function, although i am no expert. While there is no security issue with regard to using oscommerce to screw my setups as the folder is protected, someone could possibly access the databsae with my password and fiddle with it. Anyone know how to remedy this? Link to comment Share on other sites More sharing options...
Pensive Posted May 24, 2007 Share Posted May 24, 2007 Step by step guide to password protecting your admin panelEnjoy Trimmer Thanks however I have a problem - my server is on windows, not linux. This means that the CHMOD command does not work, so while I have been able (through HELM) to protect my admin folder with a password - I am unable to prevent anyone from downloading my admin.php files which contain the DB username and password. I have edited out the annoying red line at the top which says "this file is accessible" when you access my site but of course this is a bodge. I believe .htaccess is a linux server function, although i am no expert. While there is no security issue with regard to using oscommerce to screw my setups as the folder is protected, someone could possibly access the databsae with my password and fiddle with it. Anyone know how to remedy this? Link to comment Share on other sites More sharing options...
Guest Posted May 25, 2007 Share Posted May 25, 2007 Pensive, I think your exactly right, I think first off I would changer the name of the admin panel to some not easy to find. then do a search on password file protection on windows servers I'm sure they are something the MS knowledge base. sorry I couldn't be more help.. we tend to bone up on what we are trying to run.. Trimmer Link to comment Share on other sites More sharing options...
Snoboreders Posted June 12, 2007 Share Posted June 12, 2007 Trimmer- Thanks for simplifying this process. I have been reading countless threads on securing the admin, and see it as a daunting task. Let me get this straight. So I create a file and all it has is this: AuthName "Your adimn Directory"(change to your admin directory name) AuthType Basic AuthUserFile /your/path/to/the/folder/admin/.htpasswd ( most important, full path) AuthGroupFile /dev/null Require valid-user Then I create another file with my username and password all mixed up. How does the file know what exactly my username and password is? Shouldn't I have to place it in the .htaccess file? Thanks again for this thread. Link to comment Share on other sites More sharing options...
Snoboreders Posted June 12, 2007 Share Posted June 12, 2007 btw what is a "tech ticket"? I tried doing this but received an internal error. perhaps discovering what a tech ticket is could solve my problem? If my path is /admin/.htaccess would I have to do catalog/admin/.htaccess? How could a tech ticket take the path back even further? Thanks. Link to comment Share on other sites More sharing options...
Pensive Posted June 12, 2007 Share Posted June 12, 2007 Pensive,I think your exactly right, I think first off I would changer the name of the admin panel to some not easy to find. then do a search on password file protection on windows servers I'm sure they are something the MS knowledge base. sorry I couldn't be more help.. we tend to bone up on what we are trying to run.. Trimmer Thanks trimmer. FYI, there is no security issue. All you have to do is password protect the admin folder - this prevents people to access any of the admin fucntionality. My concerns about the password contained within the PHP file are unfounded. When a php file is read, the server turns it into an html file, so no information can be gleaned by any would-be hackers. They would have to hack the FTP access to get the password information. .htaccess issues are not a problem - my ISP assures me there is no way to access this sort of thing without the passwords already being known. FTP access requires a password regardless of file read/write protection on windows servers. I think they are equally secure to linux servers. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.