Logout link
Permalink
For security reasons, we've been changing /login/ to /moresecretlyobscureloginname/
the downfall in this, is that we have to override /tools/page_controls_menu_js.php to make sure the logout link is pointing to the right place. Is there a way to make this more future-proof so that we don't have to update this every time we update the core?
the downfall in this, is that we have to override /tools/page_controls_menu_js.php to make sure the logout link is pointing to the right place. Is there a way to make this more future-proof so that we don't have to update this every time we update the core?
I actually just encountered C5 for the first time today, just downloaded, and I'm now hacking it up.
Coming from Drupal, Wordpress, and various forums and other FOSS, I can confirm that once the page name is found for any given app like this, you're going to get hackers hammering on it - and a name like "/login" isn't going to be tough to guess for bots either. I know C5 has a lockout for failed login attempts. But the best security is when they can't even find the login page to challenge that ban mechanism. So I came here too to figure out how to move the login page, as it seems hardcoded.
The page_controls_menu_js.php file has /login hardcoded, as does concrete/core/libraries/view.php and 30 other code and theme files. So copying the login file and replacing the single_page won't work. For the links to /login, how will the app know to open the new single page instead of this one?
I'm thinking I just don't understand the Single Pages mechanism. I'm guessing anything not registered there will go to Page Not Found, and anything registered will get executed. Well, it would be cool if we could remove that Single Pages reference or change the name there so that something like render('/login') would actually go to whatever page was registered to that name. Seems to me all of these hardcoded references should be Defined values. Short of that it seems like we need to do a global search/replace for /login with /ourloginpagename.
I hope this helps to clarify the intent.
Thanks!
Coming from Drupal, Wordpress, and various forums and other FOSS, I can confirm that once the page name is found for any given app like this, you're going to get hackers hammering on it - and a name like "/login" isn't going to be tough to guess for bots either. I know C5 has a lockout for failed login attempts. But the best security is when they can't even find the login page to challenge that ban mechanism. So I came here too to figure out how to move the login page, as it seems hardcoded.
The page_controls_menu_js.php file has /login hardcoded, as does concrete/core/libraries/view.php and 30 other code and theme files. So copying the login file and replacing the single_page won't work. For the links to /login, how will the app know to open the new single page instead of this one?
I'm thinking I just don't understand the Single Pages mechanism. I'm guessing anything not registered there will go to Page Not Found, and anything registered will get executed. Well, it would be cool if we could remove that Single Pages reference or change the name there so that something like render('/login') would actually go to whatever page was registered to that name. Seems to me all of these hardcoded references should be Defined values. Short of that it seems like we need to do a global search/replace for /login with /ourloginpagename.
I hope this helps to clarify the intent.
Thanks!
Copy
to
Then go Dashboard > Pages and Themes > Single Pages and add "moresecretlyobscureloginname" as a single page.
then disable access to /login by either the .htaccess file or creating a blank php file and uploading it to
Hope this helps :)