admin panel?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
BMWGuy
Registered User
Posts: 147
Joined: Fri Sep 17, 2004 7:28 pm
Location: Michigan, USA
Contact:

Re: admin panel?

Post by BMWGuy »

dudes, let's stop supposing that the developers of phpbb are doing anything on purpose to prevent people from getting in the admin's panel. First, they have never said anything of the such, and second, if they are trying to prevent users from getting into the admin's panel, they are not doing a very good job.

In fact, I've never once experienced trouble logging into the admin's panel. This leads me to believe that they really are not trying to cover anything up (or at the very least, the admin's panel).

Just my 2 cents, anyways.......... :? :? :)
Think that the developers have secretly stopped working on PhpBB v2.2? Think again........see the latest progress HERE:
Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: admin panel?

Post by Graham »

What everyone has to bear in mind is that the ACP is still a work in progress, there are bits which are not finished.

However the reauthentication to access it will stay for reasons of security. This means that to access the ACP, you must know the password, you can't do it just by stealing or faking the cookie based on other information (which has been one of the more common reported methods seen on 2.0.x)
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!
User avatar
cyberCrank
Registered User
Posts: 560
Joined: Wed Jan 28, 2004 3:38 am
Location: Ethereal Bliss

Re: admin panel?

Post by cyberCrank »

Roberdin wrote:I'm not disputing that it's an excellent security measure, what I am disputing is the need to reauthenticate under the following circumstances:

1. Autologin is NOT enabled.
2. User has logged on (authenticated) within the last minute.
This is doable and not unreasonable and makes sense as long as the username and password is known to be entered explicitly and manually for an Administration account, then the Sessions Table record could have the session_admin field set to 1 to indicate explicit authentication has occurred. Once this is done, it appears to remain set for the life of the session.

But, one concern still resides with ACP athentication and that is the fact that alternate methods exist that capture username-password combinations (as with Windows IE) and phpBB does not deactivate this mechanism as is done with some other web apps.
APTX
Registered User
Posts: 680
Joined: Thu Apr 24, 2003 12:07 pm

Re: admin panel?

Post by APTX »

If you hate the re-authentication so much all you need to do is comment out 3-4 lines. Is that difficult?
Don't give me my freedom out of pity!
User avatar
olger901
Registered User
Posts: 536
Joined: Tue May 11, 2004 4:57 pm

Re: admin panel?

Post by olger901 »

It might be for guys like him, that don't know much about php. But then again, you shouldn't be using the CVS unless you really know what you are doing.
-
q3utom
Registered User
Posts: 172
Joined: Sun Aug 10, 2003 8:53 pm
Location: folkestone, kent, uk
Contact:

Re: admin panel?

Post by q3utom »

Graham wrote: However the reauthentication to access it will stay for reasons of security. This means that to access the ACP, you must know the password, you can't do it just by stealing or faking the cookie based on other information (which has been one of the more common reported methods seen on 2.0.x)
imo thats a very nice feature. Can sleep safe knowing you won't get hacked :)
grön
Registered User
Posts: 151
Joined: Tue Jun 01, 2004 8:21 am
Location: Ljusdal, Sweden
Contact:

Re: admin panel?

Post by grön »

q3utom wrote:
Graham wrote: However the reauthentication to access it will stay for reasons of security. This means that to access the ACP, you must know the password, you can't do it just by stealing or faking the cookie based on other information (which has been one of the more common reported methods seen on 2.0.x)
imo thats a very nice feature. Can sleep safe knowing you won't get hacked :)
Agree
Get Firefox and install the BBcode extension; then you are a real forum power user!
My reason for using phpBB is mrgreen
Peace-Love-Unity-STRENGTH
User avatar
psoTFX
Registered User
Posts: 1984
Joined: Tue Jul 03, 2001 8:50 pm
Contact:

Re: admin panel?

Post by psoTFX »

Roberdin wrote:1. Autologin is NOT enabled.
2. User has logged on (authenticated) within the last minute.
Get used to it, it ain't changing.
User avatar
lwq
Registered User
Posts: 64
Joined: Thu Nov 06, 2003 9:12 am
Location: Singapore
Contact:

Re: admin panel?

Post by lwq »

It ain't changing but there can be a mod on it right?Anyway, is the admin panel puposefully not functioning?
lwq
grön
Registered User
Posts: 151
Joined: Tue Jun 01, 2004 8:21 am
Location: Ljusdal, Sweden
Contact:

Re: admin panel?

Post by grön »

lwq wrote:It ain't changing but there can be a mod on it right?Anyway, is the admin panel puposefully not functioning?
phpBB is relesed under the GPL so change that code if you like to, it aint so enaoying (not enoying at all in my opinion).
what "puposefully" means I dont know!
Get Firefox and install the BBcode extension; then you are a real forum power user!
My reason for using phpBB is mrgreen
Peace-Love-Unity-STRENGTH
Post Reply