Support

Admin Tools

#32828 WAF - Administrator secret URL parameter

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 09 May 2020 17:17 CDT

Gian Luca
Hi, congratulations for your products!
I need an advice, because i've enabled in WAF the option "Administrator secret URL parameter" but the administrator page it's accessible though from /administrator even without inserting /index.php? How is it possible?
Thank you very much!
Best regards.
Gian Luca Villa

nicholas
Akeeba Staff
Manager
It is exactly how it's supposed to work.

The first time you visit /administrator/index.php?your_secret we storing a special value in your Joomla session which basically says "this person knows the admin URL secret". From that point onwards any attempt to access /administrator or /administrator/index.php will work just fine.

Remember that /administrator tells Apache "load the default document in the /administrator directory". The default document is index.php therefore /administrator is functionally equivalent to /administrator/index.php.

If we didn't do this session trick you wouldn't be able to access your administrator at all! Think, for example that when you click on Joomla's Users, Manage your are simply navigating to /administrator/index.php?option=com_users, a URL that doesn't have the admin query parameter.

The special value in the session is destroyed when your session expires, per the Global Configuration settings, or when you log out. Of course, when you log out you are redirected back to /administrator/index.php?your_secret which sets the special session value again. That's probably why you think this feature does nothing.

Try a different computer and browser where you haven't used the secret URL parameter yet. Try accessing /administrator or /administrator/index.php. You will be redirected to your site's front page and a security exception will be logged.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!