Bug: Two Logons Required for Admin
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=19265
Printed Date: 11 April 2026 at 11:54pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Bug: Two Logons Required for Admin
Posted By: djlurchg
Subject: Bug: Two Logons Required for Admin
Date Posted: 12 April 2006 at 5:20pm
|
When I log on as administrator, I have to log on twice to access the control panel. The second time I have to enter that darn CAPTCHA code, which is turned off. |
Replies:
Posted By: WebWiz-Bruce
Date Posted: 12 April 2006 at 6:18pm
|
This is not a bug it is done by design. The Admin Control Panel needs super strength security because if a hacker gets into that section they can destroy your whole forum. To protect against this the admin area uses a different much more secure login system that doesn't allow auto login and uses a proprietary session system that is much more secure than ASP own built in session system. This does mean that admin must re-login to enter the Admin Control Panel, but this shouldn't be to much of an issue as you shouldn't need to enter the admin area to much once your forum is setup. |
Posted By: WebWiz-Bruce
Date Posted: 12 April 2006 at 6:19pm
| Also, if you don't want to login twice, you can login directly to the admin area by going to the file 'admin.asp', saves typing in the admin login details twice. |
Posted By: djlurchg
Date Posted: 12 April 2006 at 7:37pm
|
borg: After working through things (in the forum and in my head), I now understand the workflow. That doesn't mean I like it. I just wish I didn't have to log in twice. |
Posted By: WebWiz-Bruce
Date Posted: 13 April 2006 at 10:12am
|
This method was bought in after tracking the habbits of a few prolific hackers that targeted Web Wiz Forums. Since the double login system in version 7.97 we seem to be ahead now of these hackers who have given up trying to access the admin section. Version 8 has gone even further than version 7.97 with even more security on the admin control panel with an even secure login method. I know this is a pain, but as the admin area isn't something that will be entered often it is a necessary evil. I imagine most users would rather have to log into the admin area thus doing a double login than find there forum or entire site (in a few cases) completely defaced and all forum data lost. |
Posted By: djlurchg
Date Posted: 13 April 2006 at 5:41pm
| But the site CAN be defaced without the double login. I only need to use the quick login to edit and delete posts. If you're so concerned about security, then why not require a double login for all admin activities...or move the admin logon to an obscure, renamable page. |
Posted By: WebWiz-Bruce
Date Posted: 13 April 2006 at 5:57pm
|
The main damage can be done through the admin control panel, this is why the need for more security there. The forum use to have a system in previous versions whereby the admin area was meant to be renamed or deleted after the initial setup, but no-one ever did, so that security measure was totally useless. I have explained the reason for the admin having to login into the admin control panel even if they are logged into the main forum, so please let this be be end to it. If you are seriously that against it, then there are plenty of of forum systems out there that don't bother with security, and maybe one of those would suite you better. |
Posted By: djlurchg
Date Posted: 13 April 2006 at 6:09pm
|
borg, The reason I chose WWF years ago was because it was A) Written in ASP, which I knew quite well B) Priced competetively C) Easy to hook in to so I could integrate with other applications D) A mature, stable product, with the right feature set. Reason C is now gone, which is disappointing. I can understand your frustration, I have to deal with the same thing. I've had to put up with several telephone calls and emails form forum members this week because they can't understand that they now need to log in twice to the site instead of just once like before. I've now spent 4 of the last 5 days on this project. Do you feel like I've been out of line or unprofessional in any way? |
Posted By: Mikey
Date Posted: 13 April 2006 at 9:23pm
Many users are now using ver8 and hooking into it with no problems.. but everyone is entitled to their own opinions ------------- Handyman man? |
djlurchg wrote:Posted By: wistex
Date Posted: 13 April 2006 at 11:23pm
|
Well, hopefully the API coming soon will help you with the hook-in. I too am looking forward to the API. And, as far as hooking in, its always easier to replace a less secure login system with a more secure one than the other way around. Why? Because the more secure one is more complex. I know security is a pain, but unfortunately there are people out there who will steal or destroy what you have if its not locked down. I don't like having to login twice myself, but I'll do it so my website is more secure. I've spent years building my site up, and I would be very angry and depressed is something happened to it due to someone breaking in. So I'll live with the security. ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: WebWiz-Bruce
Date Posted: 14 April 2006 at 10:19am
|
I came up with a more simple way of building an existing member API yesterday, and it took me around 30 minutes to build and test this morning. It would have been quicker but I wanted to add in error handling, and data checking. The new 'Existing Member API' will be very simple to setup, you will have to set one variable in the file 'functions/functions_member_API.asp' to true:- Const blnMemberAPI = True Then in your own login system add the following two session variables:- Session("USER") = Member_Username Session("PASSWORD") = Member_Password It's as simple as that, then when members log into your site they will also be logged into the forum, if an account doesn't exist for them in the forum one will be created. If their password changes in your login system it will also be updated when they go to the forum. You may also want to disable new user registration in the forum to prevent users by passing your own login system Of course this new API relies on the security of your own login system which may not be as secure as that used in Web Wiz Forums. The API has been built to make it as simple as possible to setup, and I don't think you can get much simpler than that. |
Posted By: djlurchg
Date Posted: 14 April 2006 at 4:21pm
| Awesome :) |
Posted By: WebWiz-Bruce
Date Posted: 14 April 2006 at 4:24pm
|
Version 8 full is out now if you want to try this. There is no documentation for this yet except nots in the 'functions/functions_member_API.asp' file, but it is so simple to use I doubt much more is needed. |
Posted By: wistex
Date Posted: 14 April 2006 at 5:13pm
|
Wow! I'm impressed! I'll still stick with WWF as the base as its more secure, but I am very impressed that you made it so simple. ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: dpyers
Date Posted: 14 April 2006 at 8:27pm
<greed>Off to the downloads page to see if this means what I think it means </greed> ------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: tipponline
Date Posted: 01 May 2006 at 1:33pm
|
Great API! I say just: wow. one modification has to be documentated. The "logout" button must be easy to configure with this API too. Depends on the self-login system, the logout button is not working by using the API for login control |
Posted By: WebWiz-Bruce
Date Posted: 02 May 2006 at 12:08pm
|
You would be better off connecting the logout button to your sites own logout control or file, then add the following to also log you out of the forum:- Session("USER") = "" Session("PASSWORD") = "" ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |