It is exactly how it's supposed to work.
The first time you visit /administrator/index.php?your_secret we storing a special value in your Joomla session which basically says "this person knows the admin URL secret". From that point onwards any attempt to access /administrator or /administrator/index.php will work just fine.
Remember that /administrator tells Apache "load the default document in the /administrator directory". The default document is index.php therefore /administrator is functionally equivalent to /administrator/index.php.
If we didn't do this session trick you wouldn't be able to access your administrator at all! Think, for example that when you click on Joomla's Users, Manage your are simply navigating to /administrator/index.php?option=com_users, a URL that doesn't have the admin query parameter.
The special value in the session is destroyed when your session expires, per the Global Configuration settings, or when you log out. Of course, when you log out you are redirected back to /administrator/index.php?your_secret which sets the special session value again. That's probably why you think this feature does nothing.
Try a different computer and browser where you haven't used the secret URL parameter yet. Try accessing /administrator or /administrator/index.php. You will be redirected to your site's front page and a security exception will be logged.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
