Ecommerce Website

osCommerce - Admin Security

Ok so you have osCommerce installed and you're starting to poke around the admin area, looking at all of the available features and controls, making some of your initial global configurations. And suddenly it hits you, "wait a minute, I didn't have to log in to get here?!". That's right you didn't. While many if not most open source web applications will provide some sort of 'admin' account and the functionality to create an ID and password, fresh out of the box osCommerce does not. So you are probably asking yourself, "how can I leave my admin area wide open? That's a obvious security hole". You're not alone, that is one of the most frequently asked questions in the osCommerce support forums. For whatever reason the core developers of osCommerce chose not to provide built in security for the admin area. It doesn't take a genius to figure out that some sort of security is required. Fortunately the solution is usually fairly simple to implement and reasonably secure, that is to use a .htaccess file. Now let me quickly note this applies to Linux/Unix Apache based systems. If you are using a Windows server, the security is configured through the folder properties etc. The majority of osCommerce implementations are on Linux hosts, so that's what I'm going to talk about here. The .htaccess file is a plain text file that provides the ability to configure not only security but also things such as search friendly URL's. For those interested a more indepth discussion of .htaccess can be found here. The .htaccess file uses a separate file which stores the password for an account in an encrypted format. There are some command line and other utilities for setting up folder protection using .htaccess, however for the most part you should generally not have to rely on those. Most web hosts will provide within the control panels some functionality to password protect folders. Behind the scenes this will set the .htaccess and the password files for you. If your host uses Cpanel, go to the applet titled "Password Protect Directories", drill down to the folder you wish to protect, add an account and password, and you are all set. If you have trouble with this, your hosting package doesn't make password protecting directories readily available, contact them for help. I've seen far too often people having problems and posting questions that their web host would actually be the best equipped to help with. Your web hosting company should be your friend and should provide you with timely help. If they aren't, get another one I highly recommend Host Dime. I've used them for three years and they provide excellent service at a reasonable price. Another important thing to know when you are password protecting a folder, you only have to set a password on the top level folder, i.e. catalog/admin. All the folders underneath are then protected, so you don't have to apply a password to each of the sub folders under admin. In addition to going directly and setting up .htaccess on your web there are also some contributions available, Administration Access Level Accounts is one for example. I've never used any of those particular contributions myself, but if you want to go that route I suggest browsing the contributions area of the osCommerce site. Happy Coding

 

< Prev		Next >