Support

Admin Tools

#10144 admin secret URL parameter not working

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 10 December 2011 02:40 CST

Friday, 09 December 2011 13:09 CST

user40634
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the forum before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 1.7.3
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: latest


Description of my issue:

I just installed the latest version of Admin tools on top of my older version (2.1.6). The admin secret URL parameter does not work. I can still access the admin panel without it. Please help.
Thank you.

Friday, 09 December 2011 14:28 CST

user40634
Also, I tested a failed admin login and I do not get an email when I failed to login. I have this option selected in the WAF. Please help, I never had these problems with the previous version installed.

Friday, 09 December 2011 14:46 CST

nicholas
Since Admin Tools 2.1.10 there has been a significant change: if your IP is in the Administrator IP Whitelist or the "Never block these IPs" editbox in the Configure WAF page then no security checks are applied for all requests coming from this IP. It actually makes sense! Both of these locations are supposed to contain only the IPs you absolutely trust to belong to trustworthy parties. Why perform security checks against them?

The side effect is that when you test any security feature, including the administrator secret word, from one of those IPs, you think it doesn't work. Just try using a different connection –e.g. your cellphone connected to the 'net over 3G– and you'll see that the protection does work. Many people had asked me this question on this forum when we had released Admin Tools Professional 2.1.10 :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 December 2011 14:56 CST

user40634
Sorry, I just now found the original forum post about this. I do not like this feature. It makes me think that the admin parameter is not working. But I have tested it and it works.

Friday, 09 December 2011 15:31 CST

nicholas
Well, this feature is very useful. It makes sure that if you access the Internet over a static IP you can always make sure that you will not be accidentally blocked out of your site (which was a very common issue with previous versions). After all, if you want to test something, you can simply turn off the whitelist feature and remove your IP from the "Never block these IPs" list in the Configure WAF. Once you're done testing, you can simply re-enable them.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 December 2011 16:22 CST

user40634
What I mean is, I like how this feature worked in the previous version. When I accessed the admin panel with the URL parameter, I was able to sign in. When I accessed the admin panel without the URL parameter, I was redirected to the homepage.

Friday, 09 December 2011 16:25 CST

nicholas
No, no, no! This feature works exactly the same in this version UNLESS your IP address is in either of the two whitelists I mentioned. If you remove your IP address from both of those whitelists, if you try to access your site's back-end without the secret parameter, you will be redirected to the home page.

I am saying it again: the way the Administrator Secret Key feature works has not changed.

What changed is that if you add your IP address to any of the two whitelists I mentioned three posts above, there is absolutely no security check whatsoever performed against your request. It is as if Admin Tools is disabled for the IPs in the white lists.

I hope that clarifies things.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 December 2011 16:34 CST

user40634
Hmmm, weird. I can access the admin panel on of my sites with the newest version of Admintools without the URL param. But I cannot access the admin panel without the URL param on another one of my sites with an older version of Admintools.

Friday, 09 December 2011 16:38 CST

nicholas
I wonder if you read my replies.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 December 2011 17:22 CST

user40634
I'm sorry, I see the last part now. So, that means to check if this feature is working, I have to remove my ip address from those places, logout, and then try to access the admin panel.

Saturday, 10 December 2011 02:40 CST

nicholas
Yes, exactly.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!