17 replies to this topic

[Michael]

This is the support topic for the tutorial Auto-login to ACP.  Please post here if you have any questions or feedback.

[Schranzer]

THANK YOU MICHAEL!!!
Nice Idea

[manHa]

Thank you very much Micheal

[Adriano Faria]

It's interesting but some things didn't work such as Edit Member, SQL Toolbox...

[Michael]

Yeah, I found that out too, since you're not actually 'logged in' you don't have any root admin priveleges.

[Adriano Faria]

Michael, on Jun 20 2008, 08:46 AM, said:

Yeah, I found that out too, since you're not actually 'logged in' you don't have any root admin priveleges.

Exacly!

[Martin]

Michael, on Jun 20 2008, 01:46 PM, said:

Yeah, I found that out too, since you're not actually 'logged in' you don't have any root admin priveleges.

How about adding the "function" that creates and inserts the adsess below the function that's commented out in admin.php?

[Martin]

I just discovered another problem with this tutorial.

While in settings, the root admin will be removed from all group listings. It just caused me 30minutes of head scratching until I thought about this little edit that I did.

[Michael]

I should probably just trash this then.

[GaryK]

Perhaps instead of trashing this mod you could simply change it so that you can easily add/remove some hard-coding in the appropriate file such that the login name (or e-mail) and password form fields are automatically populated and a submit is simulated via JavaScript?

Edited by GaryK, 20 July 2008 - 01:28 AM.

[Martin]

Or just add this piece of code above the code found in tutorial.

if( ! $ipsclass->input['adsess'] )
{
	$ipsclass->DB->build_query( array( 'select'   => 'm.*',
										 'from'	 => array( 'members' => 'm' ),
										 'where'	=> 'm.id='.intval($_COOKIE[$ipsclass->vars['cookie_id'].'member_id']),
										 'add_join' => array( 0 => array(
																		  'select' => 'g.*',
																		  'from'   => array( 'groups' => 'g' ),
																		  'where'  => 'g.g_id=m.mgroup',
																		  'type'   => 'left' ),
															 1 => array(
																		  'select' => 'p.*',
																		  'from'   => array( 'admin_permission_rows' => 'p' ),
																		  'where'  => 'm.id=p.row_member_id',
																		  'type'   => 'left' )
															)
								)	 );
											 
	$ipsclass->DB->exec_query();

	$mem = $ipsclass->DB->fetch_row();

	$ipsclass->sess->member = $mem;
	$ipsclass->sess->build_group_permissions();
	$mem = $ipsclass->sess->member;
	
	if ( $mem['g_access_cp'] != 1 )
	{
		die( "You do not have access to the administrative CP" );
	}
	else
	{
		$extra_query = "";
			
		if ( $_POST['qstring'] )
		{
			$extra_query = urldecode( $_POST['qstring'] );
			$extra_query = str_replace( "{$ipsclass->vars['board_url']}"		   , "" , $extra_query );
			$extra_query = preg_replace( "!/?admin\.{$ipsclass->vars['php_ext']}!i", "" , $extra_query );
			$extra_query = preg_replace( "!^\?!"										 , "" , $extra_query );
			$extra_query = preg_replace( "!adsess=(\w){32}!"							 , "" , $extra_query );
			$extra_query = preg_replace( "!s=(\w){32}!"								  , "" , $extra_query );
			$extra_query = preg_replace( "!act=login!"								   , "" , $extra_query );
			$extra_query = preg_replace( "!code=template-edit-bit!"					  , "" , $extra_query );
			$extra_query = preg_replace( "!code=template-bits-list!"					 , "" , $extra_query );
			$extra_query = preg_replace( "!bitname=(\w)!"								 , "" , $extra_query );
			$extra_query = $ipsclass->parse_clean_value( $extra_query );
		}
		
		$ipsclass->DB->do_delete( 'admin_sessions', 'session_member_id='.$mem['id'] );
		$sess_id = md5( uniqid( microtime() ) );
				
		$ipsclass->DB->do_insert( 'admin_sessions', array (
															   'session_id'				=> $sess_id,
															   'session_ip_address'		=> $ipsclass->ip_address,
															   'session_member_name'	   => $mem['name'],
															   'session_member_id'		 => $mem['id'],
															   'session_member_login_key'  => md5( $mem['joined'] . $mem['ip_address'] ),
															   'session_location'		  => 'index',
															   'session_log_in_time'	   => time(),
															   'session_running_time'	  => time(),
							)						);

		$ipsclass->input['adsess'] = $sess_id;
		
		$extra_query .= "&member_id=".$mem['id'].'&password=ok';
		
		$ipsclass->admin->redirect( $ipsclass->vars['board_url'].'/'.IPB_ACP_DIRECTORY."/index.".$ipsclass->vars['php_ext']."?adsess=".$ipsclass->input['adsess']."&".$extra_query, '"Log In" Successful' );
		
		exit();
		
		
	}
}

It will at least give you some fake security. The only way for someone else to get in now, is to change their member_id cookie.

[Martin]

Just bumping this in case you didn't see it

[GaryK]

m4rtin, on Jul 25 2008, 03:28 PM, said:

Just bumping this in case you didn't see it

Thanks, I did see it, but decided not to use it. I realized that my development server is connected to the 'net, and I don't trust myself to disable auto-login before I stop working for the day so this is probably not a safe thing for me to be using.

Please correct me if my above assumption is wrong.

[Martin]

It is safe against the man in the street, but some leet hackers may find the solution to it.
Just put a .htaccess/.htpasswd lock on the folder, and you as safe as you'll ever be.

You can also ban everyone but yourself using .htaccess.

order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost

[GaryK]

I'll have to see if there's a Windows Server 2003 equivalent for that. Thanks for the tip.

[Martin]

http://support.microsoft.com/kb/324064
Like that, maybe?

[GaryK]

m4rtin, on Jul 25 2008, 07:02 PM, said:

http://support.microsoft.com/kb/324064
Like that, maybe?

Thanks. I knew there was a way to handle restrictions, but it's been so long since I used it I'd forgotten how to do it. Now I feel comfortable with the ACP Auto-Login.

[Londonms]

I did different Script, i created a file called admin/indice.php with the data of the admin/index.php - after I made the changes in admin/index.php

only in this part, so I put

{
		die( "You do not have access to the administrative CP" );
}

changed for

{
		header( 'Location: indice.php' );
}

what will happen when the admin is not logged in will not get the message but the screen asking logon/password

Such as copies of old admin/index.php was admin/indice.php who always asks password - thought that the best message.

Edited by Londonms, 23 January 2009 - 07:29 PM.