Guest Posted May 22, 2003 Posted May 22, 2003 Hi, I wonder why the admin part of osCommerce is not password protected. I know I can use .htaccess to secure my directory, but I think it is not the best solution. Is somebody working on a module or is it planned to include an authentication for the whole password script? Marian
Emmtee Posted May 22, 2003 Posted May 22, 2003 there's a contrib for "admin with levels" ... i suppose it does something similar ... btw - ssl and .htaccess make just a perfect combination IMHO :) http://www.oscommerce.com/community/contributions,1762
Guest Posted May 22, 2003 Posted May 22, 2003 I have my admin password protected with .htacess and secured with ssl. This is what is happening. When I go to the admin: http://205.214.81.168/~mykeep/catalog/admin/ I log in and the browser asks me to do it twice before it lets me in. Then, when I click on any of the choices in the blue admin menu, it asks for the password again. I think this is because I am using a shared ssl certificate. Now besides the little inconveniences above. My client cannot get past the login to the ssl pages. I comes back with the login box with the username in place, and the password blank. She types in the password and up it pops again. Won't accept her login. I login from here with her username and password and it goes right in. I know she might be doing it wrong, but she has all the right answers. LOL She has AOL :cry: Any ideas? Tracy Gibson
Guest Posted May 22, 2003 Posted May 22, 2003 Sorry for the double post, but I needed to correct the IP address and this forum does not allow me to edit my own posts. Tracy
Emmtee Posted May 23, 2003 Posted May 23, 2003 re-asking for authentication usually comes when switching between ssl and non-ssl modes. usually you can "install" a certificate and make it always accepted... that should at least kill the security warning. if you're using mod_rewrite then please be sure your links point to https and ssl mode is enabled at config... otherwise you'll run into redirect chaos :) http://www.oscommerce.com/community/contributions,1762
Emmtee Posted May 23, 2003 Posted May 23, 2003 ps: looking at your link from above it's obvious... that's a http link, you're sending auth request via http, then get redirected to ssl - but for auth-security your browser demands you to re-enter the passwort.... http://www.oscommerce.com/community/contributions,1762
Guest Posted May 23, 2003 Posted May 23, 2003 I figured that was the reason that we had to re-enter the password. But I wonder why she cannot get in, but I can, using the same username and password. Emmtee wrote: if you're using mod_rewrite then please be sure your links point to https and ssl mode is enabled at config... otherwise you'll run into redirect chaos I don't know if I am using mod_rewrite, I don't even know what that is. I had the ssl enabled in configure.php, but I had to take it off while my client enters her products. Then I will put it back when we go live, but she won't be able to get into the admin. Maybe I should send her there with the https link in the first place. Tracy Gibson
Emmtee Posted May 23, 2003 Posted May 23, 2003 how about showing us the first third of your configuration ... and yes, send her the https link direktly hint: if your cert it not 100% trusted (= you paid lots of money to some rootCA to claim that your're yourself) then her browser's security profile might autoreject it... get her to install netscape or opera, those browsers usually ask people before deciding to not display a page... ... and ask for the correct ERROR MESSAGE... the "doesn't work" report doesn't help you in helping her at all... http://www.oscommerce.com/community/contributions,1762
Recommended Posts
Archived
This topic is now archived and is closed to further replies.