Support

Admin Tools

#37705 WAF Configuration - Forbid Frontend Super Administrator Login

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by wynchcote on Wednesday, 07 September 2022 12:50 CDT

Wednesday, 07 September 2022 08:32 CDT

wynchcote

Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!

Wednesday, 07 September 2022 08:35 CDT

wynchcote

Hi,

Can you please help shed some light on this issue I am experiencing?

---

I am finding that when the following Global Configuration settings are selected, that the result is different depending upon whether Admin Tools is installed.

---

Global Configuration >

System > Session > Shared Sessions = NO

Site > Front End Editing = NO

---

With the above settings, when I log into the Dashboard then I should not be simultaneously logged into the Front End.

This is indeed the result in sites when Admin Tools is not installed.

But not when I log into the Dashboard on a site with Admin Tools installed.

---

Example site with Admin Tools installed.

Same Global Configuration settings.

And WAF > Configuration > Hardening Options > Forbid Front End Super Administrator Login = YES

---

What could the problem be?

Surely with the above settings I should not be able to sign in the Front End as Super User.

And even if I do as a user with lesser special permissions then I should not be simultaneously logged into the Dashboard.

Thank you for your time.

Ken :)

PS

Using Admin Tools 7.1.10 + Joomla! 4.2.2 + PHP 8.0

Wednesday, 07 September 2022 10:11 CDT

nicholas

> Surely with the above settings I should not be able to sign in the Front End as Super User.

You understand this the wrong way. When using shared settings things work differently.

You will not be able to use the frontend login box and login page to log into your site.

You can, however, log into the backend of your site. When you do that you are logged into BOTH the backend (administrator) AND the frontend (site) Joomla application.

If we prevented all frontend sessions when shared sessions are enabled we'd effectively lock you out of our site permanently, both back- and frontend, since both back- and frontend sessions are created when you log into the backend.

In fact, using shared sessions may just as well be the safest way to use your site's frontend as a Super User. You cannot log into it using a username and password BUT you can do that through the backend (which can be further protected).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 07 September 2022 12:50 CDT

wynchcote

Hi Nicholas,

Thanks for clarifying this for me.

Best wishes,

Ken :)

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!