Support

Admin Tools

#13968 Secret URL Parameter not working

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by bytekultur on Wednesday, 31 October 2012 05:32 CDT

Wednesday, 31 October 2012 04:37 CDT

bytekultur
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 2.5.7
PHP version: 5.3.18
MySQL version: 5.5.28
Host: ****************** (running on https in the backend)
Admin Tools version: 2.4.1

Description of my issue:
We have admin tools running with an IP whitelist for the backend and an IP blacklist for the frontend. There are some administrators that should have backend access sometimes outside the whitelist range (for example when abroad or with a dyn. IP). As I understand, that's what the secret URL parameter is for.

It seems that this only works for some people, not for all of them. I have tried several times with other people and also with my own account (after deleting the IP range I am in and deleting all entries in logs and blacklists) and I cannot access the backend with the secret URL parameter.

I have tried
/administrator?urlparam
/administrator/?urlparam
/administrator/index.php?urlparam

none of them work. What happens is that I am redirected to the frontend and after the third time the page does not load anymore, and in some cases they see the message I have set to be shown to someone on the blacklist.
Did I miss something?

Best regards and thanks a lot.

--- byteKultur.net

Β 

Edited by nicholas on 2012-10-31 05:27 CDT

Wednesday, 31 October 2012 04:47 CDT

nicholas
First, you'll have to remove yourself from the automatic IP blacklist. Here are the instructions: https://www.akeebabackup.com/documentation/troubleshooter/atwafissues.html

Then, we'll have to find out why that happens. The most usual causes:
- You have more than one security extensions in your site. For example, if you're using jSecure you shouldn't enable the secret URL parameter feature in both jSecure and Admin Tools. They will clash.
- There is a redirection going on. Typically this happens when you try accessing, let's say, example.com/administrator/index.php?secret and the browser tries to redirect you to www.example.com/administrator/index.php. When the redirection happens the URL parameter is lost and you get kicked back to the front-page.
- This can also happen when a site is accessible under different domain names but you redirect them all to one. For example, our site is available as www.joomlapack.net and www.akeebabackup.com. The former redirects to the latter. I cannot use the joomlapack.net URL to log in to admin, I get kicked back to the home page.

Since you get an intermittent issue, I suspect that it's a redirection issue. Try figuring out what is the proper domain name you should be using.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 31 October 2012 05:12 CDT

bytekultur
Thanks for the feedback.
I did, as mentioned, delete the respective users from the blacklist and all log entries, as I suspected these would be checked when I try to login.

I do not have other active tools, see attached all the enabled system plugins.
The only possible thing I can think of is the redirect plugin or the joomla config setting to use only https in the backen, which I really want to keep this way as there are lots of member data and passwords administered.

But - guessing that, I have tried to reach the page with and without https, and there is no difference.
I will though test the secret URL param without https and with the redirect plugin disabled.

The funny thing is though: I have a guy in spain who used the URL parameter and it worked fine for him, and for me or any other person it didn't....

--- byteKultur.net

Β 

Wednesday, 31 October 2012 05:22 CDT

nicholas
I did, as mentioned, delete the respective users from the blacklist and all log entries, as I suspected these would be checked when I try to login.

Yep, I read that, but there are three places to check:
  • The Security Exceptions Log
  • The IP Blacklist
  • The Automatic IP Blacklist

People tend to forget the latter and get frustrated :)

The only possible thing I can think of is the redirect plugin or the joomla config setting to use only https in the backen, which I really want to keep this way as there are lots of member data and passwords administered.

And I agree with you. I am using HTTPS throughout my own site. But a plugin is not the only thing which can do a redirection. .htaccess can also do that.

But - guessing that, I have tried to reach the page with and without https, and there is no difference.

You must use the HTTPS URL since you are redirecting to it.

I will though test the secret URL param without https and with the redirect plugin disabled

Also check your .htaccess. It is often overlooked, but it's the first place you should look for redirections.

The funny thing is though: I have a guy in spain who used the URL parameter and it worked fine for him, and for me or any other person it didn't....

Out of curiosity, are you all using the same browser? It is always possible that your browser has cached a redirection and is acting funny. I'd recommend trying to empty your browser's cache, delete all cookies for your site, quit the browser and restart it. I know for sure that Chrome and Firefox can be affected.

Another thing I would try is emptying the #__sessions table using phpMyAdmin. Sometimes a corrupt session can stick around and not let you log in. It has only happened to me twice in two years and one of those times I deliberately corrupted the session for debugging purposes. It's rare but not impossible.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 31 October 2012 05:26 CDT

bytekultur
I think I have checked every list there is several times, whitelist, blacklist, autoban etc.

About the browsers and sessins / the htaccess:
Good thinking - I will test the different options you gave me and come back to you if nothing helped.

Thanks for now - and one question: is it possible to remove the host in my first post?
Sorry, very stupid to only realise now...

Best regards,
Terry

--- byteKultur.net

Β 

Wednesday, 31 October 2012 05:28 CDT

nicholas
OK, I edited your original post. Feel free to post back after you do your tests.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 31 October 2012 05:32 CDT

bytekultur
Thank you, I'll keep you posted

--- byteKultur.net

Β 

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!