tim_ver Posted July 15, 2003 Share Posted July 15, 2003 Ok I have a ? on an admin area. I want to protect it so others can not access it. I have read in the install instructions where it says change the admin directory to another name "i.e other". This seems to work a little but has pathing issues. How do I get better protection? I thought maybe a .htaccess file. Help please thanks. Also I have never done an .htaccess file. Link to comment Share on other sites More sharing options...
Guest Posted July 15, 2003 Share Posted July 15, 2003 If you are with a hosting provider you can password protect your admin folder with CPanel/directory protection or you can install this contribution http://www.oscommerce.com/community/contributions,1174 HTH The_Bear Link to comment Share on other sites More sharing options...
tim_ver Posted July 15, 2003 Author Share Posted July 15, 2003 Ok, so this is the best? I have directory password protect and can use this. should I also change the directory name? Thanks Link to comment Share on other sites More sharing options...
Guest Posted July 15, 2003 Share Posted July 15, 2003 No you dont have to The_Bear Link to comment Share on other sites More sharing options...
papasan Posted July 15, 2003 Share Posted July 15, 2003 now why wouldn't the osC programmers incorporate this into the basic osC code? seems like an obvious glaring hole, to leave the admin open to the world as a default. going to be a pain in the butt trying to figure out the differences to merge this 2.1 code now...sheesh...common guys. Link to comment Share on other sites More sharing options...
Guest Posted July 15, 2003 Share Posted July 15, 2003 Web security is sufficient and *better*. Thus, it should be used when available, and when it is used, there is no reason to have to login a second time through osCommerce itself. Cheers, Matt Link to comment Share on other sites More sharing options...
tswalling Posted July 15, 2003 Share Posted July 15, 2003 tim_ver: Changing the folder name prevents someone from knowing your admin folder name right off the bat in case they were interested in trying to gain access to it. Doesn't mean someone couldn't find out which folder your admin area was, but at least it wouldn't be the default one. papasan: Not sure if there has been a discussion on this else where, I'm sure there has, but my guess for the developers not including code to secure the admin area is either a) if they leave it up to the user, no liability on their part if someone had their site hacked and/or B) people decide to place their admin folder in various places, ie, seperate server, different folder, etc so no reason to include a default protection method for it. Link to comment Share on other sites More sharing options...
papasan Posted July 15, 2003 Share Posted July 15, 2003 even with the ability to change the folder name (very poor security if you ask me) it wouldn't be difficult to add a config switch to require log-in or not. i much prefer osC's modded log-in to folder password because of the flexability to add users with specific access. anyhow, looks like i have the next weeks work set out for me, going through the admin add-on's many lines of code and written for 2.1 comparing it with 2.2's code and trying to figure out what to hack in and what not to. it definatly does _not_ work out of the box and the author left no indication what lines where modded (but at least listed the modded files, at least half a dozen)...time to push my poor php skills. Link to comment Share on other sites More sharing options...
tswalling Posted July 15, 2003 Share Posted July 15, 2003 even with the ability to change the folder name (very poor security if you ask me) it wouldn't be difficult to add a config switch to require log-in or not. i much prefer osC's modded log-in to folder password because of the flexability to add users with specific access. Changing the folder name isn't security, sorry if I implied that. I was just telling tim_ver someone might want to change the name. Given that most people have the powered by oscommerce link at the bottom of their site, any malicious user can quickly assume that /admin/ is the folder name of the admin area. Again, I think its good to leave security up to the end user. This removes all liability from the developers, not that they ever would be if they did include security for it, if someone were to gain access to your admin control panel. This is only my guess on why it's not included. I don't really know why it isn't. Link to comment Share on other sites More sharing options...
Guest Posted July 15, 2003 Share Posted July 15, 2003 I've applied the "contribution" and I get the following error when I browse to the "admin" area. Fatal error: Failed opening required 'includes/application_top.php' (include_path='.:/php/includes:/usr/share/php') in /home/virtual/site357/fst/var/www/html/catalog/admin/index.php on line 13 i'm currently using osCommerce 2.2 Milestone 2 (07/12/2003) Do I have to chnage permissions or something... TIA Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.