Raven2000 Posted April 22, 2004 Posted April 22, 2004 Hi I don't know if anyone else has this problem but I just discovered that whenI'm logged into my site as a customer I can access all admin facilities without entering the admin password.. I simply type admin after the https://mydomain.com/osCommerce/admin and it opens up the admin section even though I haven't given the admin password or login has anyone uncovered this problem on their site and overcome it?? Help please this is a major security issue Mel :(
bluepony Posted April 22, 2004 Posted April 22, 2004 You can password protect it using .htaccess. (htaccss tutorials are on the web). If your web hosting control panel allows you to set up password protected directories - set up a group, add a user to that group, and then password protect the admin directory. There are also some Admin password contributions as well. See more tips at http://wiki.oscommerce.com/docsInstallNew I'd rather be flying!
TerryK Posted April 22, 2004 Posted April 22, 2004 With my server, if I log in to the admin section of my site via .htaccess, it will remember my login for as long as my browser session remains open. (If I close IE down completely, then open it up again, I have to relogin via .htaccess to gain access to the admin section again.) Could it be that this is what's happening to you? Try closing your browser completely, then going to the store as a 'customer' and THEN try to access Admin and see if it still happens. HTH, Terry Terry Kluytmans Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like: Add order total to checkout_shipment Add order total to checkout_payment Add radio buttons at checkout_shipping (for backorder options, etc.) Duplicate Table Rate Shipping Module Better Product Review Flow * If at first you don't succeed, find out if there's a prize for the loser. *
Pompeylad Posted April 22, 2004 Posted April 22, 2004 Terry, Would this mean that anybody can access it when the store owner has entered it? Or just that computer? Pompeylad. PHP?!? Long live HTML!!!! But then again we never stop learning.
TerryK Posted April 22, 2004 Posted April 22, 2004 AFAIK, it applies to ONLY my computer. Another example: if I open up both MSIE and Netscape and try to access my /admin section from both, I have to enter my username and password for EACH browser. Once I have logged in, my sessions will remain in effect for however long I keep each browser window open. (Closing the browser and re-opening it will force the prompt to login the next time I try to access admin.) HTH, Terry Terry Kluytmans Contribs Installed: Purchase Without Account (PWA); Big Images, Product Availability, Description in Product Listing, Graphical Infobox, Header Tags Controller, Login Box, Option Type Feature, plus many layout changes & other mods of my own, like: Add order total to checkout_shipment Add order total to checkout_payment Add radio buttons at checkout_shipping (for backorder options, etc.) Duplicate Table Rate Shipping Module Better Product Review Flow * If at first you don't succeed, find out if there's a prize for the loser. *
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.