You are actually both right and wrong at the same time. It has to do with the way this feature works and the way Joomla! handles sessions.
Let's say that you chose:
- Administrator secret URL parameter: test
- Change administrator login directory to: foobar
When you visit www.example.com/foobar?test Admin Tools intercepts the request, generates a special cookie (using a secure token and a hash based on your browser signature and IP address) and forwards you to www.example.com/administrator?test. In this page two things happen:
- Admin Tools sees the "special cookie", verifies that it wasn't stolen and sets a session flag, let's call it FLAG1. From now on you are allowed to access /administrator: the FLAG1 is your pass. This flag is kept active as long as your back-end session exists. Keep that in mind.
- Admin Tools sees the "test" query string parameter and verifies it against the admin secret URL parameter. If it matches it sets another session flag, let's call it FLAG2. Unlike FLAG1, FLAG2 is unset once you log in.
Moreover, in order to avoid kicking you out accidentally, if FLAG1 is not set but you are already logged in the back-end of your site Admin Tools will set FLAG1 even though you never used www.example.com/foobar to access your site.
The only way to clear FLAG1 is to manually log out of your site's back-end. If your login times out your session is still open by Joomla!, so FLAG1 is still set and you are allowed to indeed access your site's backend through www.example.com/administrator?test. This sounds completely unexpected, but that's how Joomla!'s session management works. It's batshit crazy, I'll give you that!
So, please try this to verify that what you intended to happen is actually how we have implemented it: once you are logged in to your site's back-end, log out from it using the gear menu at the top right-hand corner, choosing Logout. Now try these login methods, in this EXACT sequence:
- www.example.com/administrator - You are kicked out to the front-end because you don't know the cloaked admin login directory
- www.example.com/foobar - You are kicked out to the front-end because you know the cloaked admin login directory but not the secret URL parameter
- www.example.com/administrator?test - It works. You have already proved that you know the cloaked admin login directory and now you proved you know the secret URL parameter
Log in, then log out again. Now try these, in this order:
[*] www.example.com/administrator - You are kicked out to the front-end because you don't know the cloaked admin login directory
[*] www.example.com/administrator?test - It works. You are kicked out to the front-end because you don't know the cloaked admin login directory (even though you know the secret URL parameter)
[*] www.example.com/foobar?test - It works. You know both the cloaked directory AND the secret URL parameter.
The important thing to remember is that a hacker coming to your site must know both pieces to see the login page. If you are also using the admin password protection and two factor authentication you've made their lives absolutely miserable if they ever wanted to brute force your admin password. They will either try to hack you from a different route or call it a day and move on to a different, easier target.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
English: native