Support

Please tell me which of the following features have you got enabled:

• Administrator password protection
• Administrator secret URL parameter
• Custom administrator directory name
• Administrator IP whitelist

This will help me try to reproduce the issue and track it down.

Are you sure you are running Admin Tools 3.3.1? I cannot reproduce this. Can you please right-click on the logout link, choose Copy URL and paste it here? It should look something like
http://www.example.com/administrator/index.php?option=com_login&task=logout&e1c455cc850466c35819f3905f561a5d=1
The last part with the 32 meaningless characters will be different every time you log out, but the option and task parameters MUST be exactly the same every time. If the URL is different then there is a bug in your administrator template.

Also check whether you are using any plugins which may be automatically log you in, e.g. based on your IP address. There was a bug in Admin Tools 3.1.x and earlier regarding logging out of admin. When trying to log you out a security exception would be raised and you'd be kicked back to the site's home page. This bug is fixed in Admin Tools 3.3.1 and now when you log out you will be redirected to http://www.example.com/administrator/index.php?your_secret_word as it has always been intended. However, if you have a plugin which automatically logs you in to your administrator section then accessing the back-end login page will log you back in automatically. I suspect this is the case.

Peter proposed this login by IP as a core feature. As many people told him, it is a bad idea. Just a summary of the top reasons:

• You can never log out because it will log you in as soon as you log out
• The IP address can be spoofed trivially by a real hacker (I could tell you if you are interested, but NOT in a public ticket)
• Logging in by IP address is a zero factor authentication method, meaning that it sidesteps the username, the password and your two factor authentication code. This makes it extremely prone to cross site request and side channel attacks. Simply put, if anyone can get you to hit a URL on a server they have access to from your computer they can spoof the IP to automatically log in as you and they they own your site.

So, let me put on my best Dirty Harry voice and say "I know what you're thinking. Did he log my IP address just now, or did he not? Well, to tell you the truth I kinda lost track myself. But this is a login plugin based on IP, the easiest thing to be spoofed and will log me in as a Super User to your very own site's administrator area. You've got to ask yourself one question. Do I feel lucky? Well, do you, punk?" Please, don't tell me that you need to know ;) Context: http://www.youtube.com/watch?v=8Xjr2hnOHiM#t=107

You're welcome :)