28 replies to this topic

[alancwade]

burt,

I commented out the 2 lines mentioned in the first post you sent me to read on your blog from eneigma1.

I no longer have the "Error: Invalid administrator login attempt." I can log in to admin through the login form.

My question now is; the code that I commented out, does it make my backend any less secure?

Thanks

[burt]

Try to set a htpasswd on your admin folder.

[alancwade]

burt,

I htpasswd protected my admin.

So now when I enter this development site, I have htpasswd protected the subdomain of the entire site, then the admin, and then login in admin form. All working OK.

Looks like it is all done. Any more thoughts?

Thanks a bunch.

[burt]

So long as you definitely have;

username/pass on the usual oscommerce login page working
AND
username/pass on htpasswd protection (grey popup box)

then that is a good first defence. We still have no reason why it did not work in the first place, but I suppose that's unimportant so long as you have this alternative system working.

Make sure that you now also follow this thread;
http://forums.oscommerce.com/topic/375288-updated-security-thread/
in order to be more secure.

[infodel]

burt, on 24 May 2011, 22:13, said:

Please log into phpmyadmin and post here the configuration_value of these 3 configuration_keys from the configuration table;

MODULE_ACTION_RECORDER_INSTALLED
MODULE_ACTION_RECORDER_ADMIN_LOGIN_MINUTES
MODULE_ACTION_RECORDER_ADMIN_LOGIN_ATTEMPTS

hello Burt, I installed 2.3.1 via my desktop using the instructions in http://forums.oscommerce.com/topic/162231-quick-install-guide/page__st__2320__gopid__1585734#entry1585734

Then getting the below error on every page i try to open on my domain:

Forbidden

You don't have permission to access / on this server

Any inputs?
Best.
Aj

[jamine]

Problem: Customer Cannot Login
Answer: Turn off the session.auto_start from php.ini

[Andy H]

Xpajun, on 25 May 2011, 08:02, said:

Not only must the admin login on 2.3.1 be the same as htpasswd on the admin folder but any parent folder that the admin resides in

I had this problem after installing 2.3.1. I tried deleting the admin user from the database with phpmyadmin but that didn't help. I've now tried it again, setting the username and password to be the same as the .htaccess login details and that works. Thanks.

FWIW, I set up the .htaccess login manually, by editing .htaccess and using a password file I use elsewhere on the site. I did that before installing oscommmerce so it would be secure while I was setting it up - I made the catalog and admin folders before uploading the files.

[vlbharathiraja]

i did all the things... but confusion with this "to remove the ar_admin_login.php value from the MODULE_ACTION_RECORDER_INSTALLED key". how can i change the value once i deleted the ar_admin_login.php file.

@burt

[patrickluursema]

Thanks for the link.
Regards,

Patrick Luursema