[ic] Moving the admin interface to a different url
list_subscriber at yahoo.co.uk
Sat Nov 17 14:30:44 EST 2007
On Saturday, November 17, 2007 5:45 PM Paul Jordan wrote:
>> I just thought it would be nice if there was a simple way to move
>> admin pages from:
>> to say:
> This really would not afford you much security.
Why not? :-)
Surely if no outsider knows the URL then they can't even attempt to log in.
Also, if someone were to try to use a dictionary hack bot to guess passwords
this could cause denial of service even if they never succeeded in logging
> You can however:
> set some "retry" limiting mechanism on the login form
I agree that would be worthwhile. I guess the standard bad robot code in
Interchange will provide some degree of protection here? It would be good
if after say 5 incorrect login attempts from the same IP address & user id,
Interchange would then display something like "You must wait at least 15
minutes before next log in attempt".
Any chance of something like this being incorporated in future releases?
> add a captcha field - maybe if the visitor is from an
> unknown IP (i.e., road user) so it does not inconvenience everyone?
OK, yep, another option I suppose
> make the form submission be verified by a random code, that was
> attained during a previous page to make it hard for
> people to post *their* forms to your process. Make the code change
> every submissiont to assure it is not some program.
Right OK, I think I understand the sort of thing you mean? You could define
a different, secret entry page that set a scratch variable to a random
number and then bounced you onto /admin. The html in /admin could then post
the random number along with logon credentials and IC could then compare the
posted random value to the scratch variable to check they match.
Anything that involves a bounce from another page feels like a bit of a
kluge to me, but I guess it would work. Which brings me back to the
the ability to change the admin url to a different location would be a
valuable feature. None of the above solutions stop a user *finding* the
admin logon page in the first place. To me it seems like a sensible and
desirable feature, which is presumably why it existed in the past - shame
it's disappeared. Any chance of the UI_URL variable being added back in
future releases? :-)
Thanks for your suggestions.
More information about the interchange-users