admin panel?

[BMWGuy]

dudes, let's stop supposing that the developers of phpbb are doing anything on purpose to prevent people from getting in the admin's panel. First, they have never said anything of the such, and second, if they are trying to prevent users from getting into the admin's panel, they are not doing a very good job.

In fact, I've never once experienced trouble logging into the admin's panel. This leads me to believe that they really are not trying to cover anything up (or at the very least, the admin's panel).

Just my 2 cents, anyways..........

[Graham]

What everyone has to bear in mind is that the ACP is still a work in progress, there are bits which are not finished.

However the reauthentication to access it will stay for reasons of security. This means that to access the ACP, you must know the password, you can't do it just by stealing or faking the cookie based on other information (which has been one of the more common reported methods seen on 2.0.x)

[cyberCrank]

I'm not disputing that it's an excellent security measure, what I am disputing is the need to reauthenticate under the following circumstances:

1. Autologin is NOT enabled.
2. User has logged on (authenticated) within the last minute.

This is doable and not unreasonable and makes sense as long as the username and password is known to be entered explicitly and manually for an Administration account, then the Sessions Table record could have the session_admin field set to 1 to indicate explicit authentication has occurred. Once this is done, it appears to remain set for the life of the session.

But, one concern still resides with ACP athentication and that is the fact that alternate methods exist that capture username-password combinations (as with Windows IE) and phpBB does not deactivate this mechanism as is done with some other web apps.

[APTX]

If you hate the re-authentication so much all you need to do is comment out 3-4 lines. Is that difficult?

[olger901]

It might be for guys like him, that don't know much about php. But then again, you shouldn't be using the CVS unless you really know what you are doing.

[q3utom]

However the reauthentication to access it will stay for reasons of security. This means that to access the ACP, you must know the password, you can't do it just by stealing or faking the cookie based on other information (which has been one of the more common reported methods seen on 2.0.x)

imo thats a very nice feature. Can sleep safe knowing you won't get hacked

[grön]

However the reauthentication to access it will stay for reasons of security. This means that to access the ACP, you must know the password, you can't do it just by stealing or faking the cookie based on other information (which has been one of the more common reported methods seen on 2.0.x)

imo thats a very nice feature. Can sleep safe knowing you won't get hacked

Agree

[psoTFX]

1. Autologin is NOT enabled.
2. User has logged on (authenticated) within the last minute.

Get used to it, it ain't changing.

[lwq]

It ain't changing but there can be a mod on it right?Anyway, is the admin panel puposefully not functioning?

[grön]

It ain't changing but there can be a mod on it right?Anyway, is the admin panel puposefully not functioning?

phpBB is relesed under the GPL so change that code if you like to, it aint so enaoying (not enoying at all in my opinion).
what "puposefully" means I dont know!