Serendipity Forums

hi.
i have installed the new version of your blog, and seams up to now to run ok, but when i logged in to the admin first time and had a look arround and logged out again i found out that i can infact chose admin and without any login screen presented im in the admin again and can do what my user account is set for. shouldn't i atlease have to login first???

hope you can help me on this, can't use it public before im surre that only i can get in the admin at any time.

greetings
kento
denmark

This is odd!
But this is not the normal Serendipity behaviour. I expect, if not having problems with sessions and/or cookies, you just went out of adminstration panel by using the 'Back to Blog' button. This does not log off.
To log-off use the last button.

i used the logout botten /serendipity_admin.php?serendipity[adminModule]=logout and then i get to the page where i can login, but if i select back to blog and then select admin then i can get straight into admin wtihout any username or password selected.

deffently need help on this, cant let any visit the blog as long as they can walk traight into administration without any login first.

its like this
frontpage -> select administration of blog -> (no username password required) -> (now in administration) -> (select log out of administration) -> (login page shown) -> select back to weblog -> (then select the admin login link on frontpage) -> bum, then im in administration page without any login informaion required (and no login page presented).

Must be a dream senario for a spammer.

Are you sure, that you cleared your cache before going back to admin-interface? I didn't ever need to do this, but don't...

bernd_d wrote:Are you sure, that you cleared your cache before going back to admin-interface? I didn't ever need to do this, but don't...

you mean the browser cache?

This should definitely not happen!
Maybe you just choose the 'remember me' option when loggin in by log-in form.

okay this is what i have found out up to now.

in my php ini the session path is now /htdocs/
and can se that each time i go to the blog site it make a file in the session path.

Timbalu wrote:This should definitely not happen!
Maybe you just choose the 'remember me' option when loggin in by log-in form.

Dosn't recall i did but wont say i didn't though but still the remeber me should that not only member your login information? and not log you in without any information passed first??

and when seleting logout it should let you have to press login on the login screen first??

Well, I never use it personally, but I think thats what the remember option is for.
If you need to get rid of it, you have to erase the cookie set by serendipity.

Timbalu wrote:Well, I never use it personally, but I think thats what the remember option is for.
If you need to get rid of it, you have to erase the cookie set by serendipity.

so the remember me is not the right word, it should be remember and login me automaticly maby.. LOL ... well if thats the only thing then its ok by me..
hmm think that the login works now. it shows open login screen link on the frontpage. even that i havent done anything else than set the session path in the php.ini

ill give it all a try now.. thanx for the help

By the way, the session save path in general is not good beneath htdocs. Better somewhere in /tmp or one level up, just for security.

Timbalu wrote:By the way, the session save path in general is not good beneath htdocs. Better somewhere in /tmp or one level up, just for security.

im already on it, and found out why the session didn't worked first time... had to stop and start my webserver, first then it worked (banging my head down in the table.. kento kento kento.. grow up) LOL...