On Saturday, November 17, 2007 5:45 PM Paul Jordan wrote:
I just thought it would be nice if there was a simple way to move admin pages from: www.websitedomain.com/admin to say: www.websitedomain.com/adminqwertyThis really would not afford you much security.
Why not? :-) Surely if no outsider knows the URL then they can't even attempt to log in.Also, if someone were to try to use a dictionary hack bot to guess passwords this could cause denial of service even if they never succeeded in logging in.
I agree that would be worthwhile. I guess the standard bad robot code in Interchange will provide some degree of protection here? It would be good if after say 5 incorrect login attempts from the same IP address & user id, Interchange would then display something like "You must wait at least 15 minutes before next log in attempt".You can however: set some "retry" limiting mechanism on the login form
Any chance of something like this being incorporated in future releases?
add a captcha field - maybe if the visitor is from an unknown IP (i.e., road user) so it does not inconvenience everyone?
OK, yep, another option I suppose
Right OK, I think I understand the sort of thing you mean? You could define a different, secret entry page that set a scratch variable to a random number and then bounced you onto /admin. The html in /admin could then post the random number along with logon credentials and IC could then compare the posted random value to the scratch variable to check they match.make the form submission be verified by a random code, that was attained during a previous page to make it hard for people to post *their* forms to your process. Make the code change every submissiont to assure it is not some program.
Anything that involves a bounce from another page feels like a bit of a kluge to me, but I guess it would work. Which brings me back to the thinking that...
the ability to change the admin url to a different location would be a valuable feature. None of the above solutions stop a user *finding* the admin logon page in the first place. To me it seems like a sensible and desirable feature, which is presumably why it existed in the past - shame it's disappeared. Any chance of the UI_URL variable being added back in future releases? :-)
Thanks for your suggestions.
_______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.