admin login?

[rabbeltje]

do i understand correctly that the admin-section is not protected by any login? could anyone help me out here (if possible by handing me a proper login-script... ) ? i'd like to protect that part of my site obviously!

[Xander]

Obviously

My intention has been to keep CompactCMS as "compact" as possible. By not including a - for CompactCMS - specific login with it's own database structure etc, I want to keep the possibility open for others to include there already existing login script (with current database and thus current users). This to prevent anyone from having to mirror databases.

Anyway: if that is not the case for you, you can easily password protect your installation using the .htaccess protection that Apache offers. See this link for more information and an online generator. A protection method I use for e.g. www.compactcms.nl/admin/.

Cheers!
Xander.

[-fred-]

Is it possible to just change the name from index.php to something else?
Since the .htpasswd doesn't work properly at my free host, i probably have to make some kind of login script (which will have to be named index.php to secure the whole folder) :s

[Xander]

It can be done, but it has a downside though... Index.php is hardcoded in some files which could be changed of course, but when a new version comes available you'll need to do the adjustment all over again. If you do want to give this a try however you might want to start with the index.php file itself and the common.js file within the /admin/includes/js/ folder. That might maybe already do the trick.

There is just one thought I have: both .htaccess and .htpasswd are Apache handlers for specific actions. It could be that a free host denies access to these, but it doesn't make sense to me that a host would deny .htpasswd and allow .htaccess. It's the same thing.

You might also want to consider to keep it real simple by putting all of the index.php content in a if statement that checks for your IP. For example:

if($_SERVER['REMOTE_HOST'] == "xxx.xxx.xxx.xxx" || $_SERVER['REMOTE_HOST'] == "yyy.yyy.yyy.yyy) {

index.php content here

} else die("You need to login");

Of course with the downside that you can only access it from an IP address you specified before (either xxx.xxx.xxx.xxx or yyy.yyy.yyy.yyy).

My suggestion: check with your host if it is indeed true that .htpasswd doesn't work, then you might want to try changing the references to index.php in /admin/index.php and /admin/includes/js/common.js to the renamed file. And if that doesn't work you'll need another option. Either another security script that does allow renaming or an if statement check of some kind.

Good luck !
Xander.

[-fred-]

Hi,

thanks for another quick reply.  Many thoughts have come to mind, but to respond:
- logging in by ip is pretty useless as it changes every xxx days here
- renaming the admin/index.php does seem like the most work, so i'll leave that as a last option 

I tried another host, it denies both .htaccess and .htpasswd, so that didn't help me 

So that why i was thinking, based on your IP post, to add some security on the index page itself, and i believe it could be as simple as an include?  based on what i found on the net.  Last step would probably be forcing the 'security script' to run as first (not sure with what command to be honest).

Does it makes sense?     

[Xander]

And just to stay true to may quick reply image :

I think you have a good solution with your include option. Doesn't have to be an include per se, but it made me think. 2,5 option I have to offer you:

1) Change the default page that is being showed upon request. In other words where normally index.php or index.html is the default start page you could change this to password.php and keep index.php intact. You'll need .htaccess for this, which is something you need anyway for CompactCMS to work. More info

2) Make a session option on the /admin/index.php file. For example:

<?php
session_start();

if($_SESSION['currentsession'] == md5(session_id())) {

Complete current index.php content

} elseif(empty($_SESSION['currentsession']) && $_POST['action'] != "login") {

Login form or that posts to the next part which will set the $_SESSION[] variable

...
<input type="hidden" name="action" value="login" />
...

} elseif(empty($_SESSION['currentsession']) && $_POST['action'] == "login" && $_SERVER['REQUEST_METHOD'] == "POST") {

Here you set the $_SESSION['currentsession'] variable to the value of md5(session_id()) which then grants you access to the main content of index.php

}

Not sure if that will be all that much easier than changing files, but at least it will only require one file to change.

2.5) The 2.5 solution is alike to the 2.0 solution, but a ready made one. Might be just that bit easier . See this url. I will by the way consider to make password protection an option from within the script. But don't expect that anytime soon ... I have plenty of todo's already for the next four versions .

Cheers!
Xander.

[-fred-]

aye caramba 

option 2.5 was kinda what i meant   didn't know it was this easy, i already had 3 pages 

I started something which defines the users in the database, as there already is a db, why not use it!  It's probably safer to encrypt it in there also.  I still have to add the actual login form at this stage.  But basically it would be the same.  I might expand what you gave me after i did some reading (it's been 2 years since i used php and even then it was limited to some small tutorials  )

I'm happy to have at least something of protection now!  About the session ... never used it, so a little scared to try it out in the first instance.  But i might in the future!

A login is indeed a nice todo item, i don't think it would affect the 'compactability' of the system   But i can imagine you already are very busy with your dayjob and freelance job (i'm hoping to offer small web-services someday as well  )

thanks again

[Xander]

You should always use something that is already out there when it's good and easy to use . So option 2.5 is then actually the best way to go. Because in all fairness: why do you think I used TinyMCE in my CompactCMS editor? Why would I code an advanced text editor when a good and reliable one is already out there ? Which is also the reason why I did create a new CMS... I just thought that there weren't any out there that actually did what is in the name... Content Management System (and not component, module, menu, static content, dynamic content, etc.)

Well having said that: it seems like you and CompactCMS are getting along just fine already. Good to read! In the mean time I just suggest you put a second installation online somewhere and experiment with it. Try different solutions and see what happens (if you're not satisfied with the current protection).

And just between you and me (and any other readers *Hi!*), it's not that I'm all that busy, I just have different priorities at the the moment. I'm doing a masters in Marketing, studying Spanish on the side and do have some freelance projects from acquaintances. Nothing too big, just working towards something bigger .

We'll see where it all ends up right ? For now I just enjoy the fact that something that I find useful for the way I work is actually being adopted by others from around the world as well. So keep it up, get your websites rolling and don't forget to then include an invisible link .

Cheers,
Xander.

[-fred-]

Ah yes, i got annoyed by stuff like Drupal as I simply don't need all those modules and extra's !  I did come across one tiny but so freaking nice cms without database!  The layout however is poor, but it does what it sais   Compactcms on the other hand looks more professional (with the editor and admin menu)!  And it's still expandable if needed (guestbook or newsscript can come nicely in the adminsection).  With drupal or so you have no choise but to take what they offer.

I was indeed planning on experimenting on a second installation (byethost offers 3 free databases, so still some room ).  Makes me kinda learn the hard way

Aaah still studying, so am i, evening school for fiscalist.  After that i'm planning to take some courses in webdesign (really looking forward to learn about SEO for instance!).  that is if i keep my current job ;x