Topic: Remove login password area

I'm attempting to integrate svmanager into the backend of a content management system and the management area will already be password protected by the CMS's admin area.  I don't want my clients to have to log into their admin area, and then have to log in again to the svmanager.  Is there a way to make the svmanager admin area not password protected?

Any advice is greatly appreciated.  Thanks!

Re: Remove login password area

I'll have a think and get back to you. It's probably best to keep detailed discussion of security issues out of public forums so I'll reply by pm - probably Monday.

jack

Jack Hardie
SimpleViewer Support Team.

Re: Remove login password area

Hi Jack,

would like to bring this one up again and see how i can do it for my site too.

I created my own category page for my gallery so i don't need this page except for my other teams to login and upload their works.

so is it possible to restrict other people from being able to go to this page (w w w sitename com / svmanager) this shows the admin login on the top right.

again i would like to have that only available for specific people and not for the public. Kindly let me know how to do it. thank you for the great work.

Chlyan

Re: Remove login password area

The gallery index (the one with thumbnails and the admin link at top right) is svmanager/index.php. If you don't need this page then you can simply delete it. People who want to access svManager can then just go to http://www.yoursite.com/svmanager/svmanager.php and log-in as normal with the user name and password.

I just spotted your reference to 'people' using svManager. Please bear in mind that svManager is not designed to be a multi-user system. You should try to arrange things so that svManager is being used by one person at a time.

jack

Jack Hardie
SimpleViewer Support Team.

Re: Remove login password area

Hey, I want to ask the same question as varnerific, where I'm integrating it into a CMS so I don't want the client to have to log-in twice to edit the gallery. Did you figure out a solution? thanks in advance,

Kristy

Re: Remove login password area

i have same question here
is there a way to remove login and have admin go straight to admin index page without logging in what would be a second time
as i too have integrated it in to my cms

or can we use a URL string

http://domain.com/login.php?username=th … atpassword

Re: Remove login password area

Is your cms written in php like Drupal? Could you set a php session variable from your cms?

jack

Jack Hardie
SimpleViewer Support Team.

Re: Remove login password area

hi yes it is
but im a bit of a php newb
i have patched together a few things like wordpress autologin from bits of code
egim a cut and paste coder with limited ability to write my own

hence i guess others have made it easy by allowing for this type of access
login.php?username=thisname&password=thatpassword

how would i go about "Setting a php session variable" that would work with SV?

thanks Jack for any help you can provide

Re: Remove login password area

I guess you have two broad options:

  1. Leave svManager untouched and modify your content management system so it generates the same session variables as the svManager login page. I could tell you what the session variables would need to look like but I can't tell you how to generate them in your content management system.

  2. Leave the content management system untouched and hack the svManager authorization code so it reads the user name and password that have been set by the cms.

login.php?username=thisname&password=thatpassword

Does your cms really pass the user name and password in the url like that? It doesn't look very secure. What's to stop me looking over your shoulder when you're working in Starbucks and noting down your url string?

jack

Jack Hardie
SimpleViewer Support Team.

Re: Remove login password area

hi jack
thanks again for the replies...
believe option 1 is the go, what do the session variables need to look like?
as we have multiple users in the cms

Jack wrote:

login.php?username=thisname&password=thatpassword
Does your cms really pass the user name and password in the url like that? It doesn't look very secure. What's to stop me looking over your shoulder when you're working in Starbucks and noting down your url string?

there is one link in the CMS to an email marketing app that also has its own login
so rather than force a second login (as the user is already logged in to teh cms) hey have suggested we use that URL and sub in the login info
thats why i thought you might have that option in SV?
allows the 2 others less tech savvy users have to enter a user/pass to acess that email area
same as i ma trying to for SV
just to avoid them having to login to all these sperate areas...

so yes any advice you can continue top provide is very much appreiocated!

Re: Remove login password area

as we have multiple users in the cms

That rings a little alarm bell because svManager is not a multi-user program. If you only have one or two users and they are not all banging away at svManager at the same time then you should be ok but I wouldn't stretch it any further than that. I definitely would not open-up svManager to a large user base – it's not designed for that.

Email me via the forum with the user name and password that you have set in svManager. I'll email back with suggestions as to where to go from there.

I know you want to help your users but I'm thinking it could be just as helpful in the long run to give them a simpler, more secure system, even if they have three login pages. Most browsers offer to remember the logins. Just a personal opinion.

jack

Jack Hardie
SimpleViewer Support Team.

Re: Remove login password area

I've just spent a couple of hours studying code to see if there is an easy, safe and simple way to do what you want.

There isn't.

You can't simply pass the user name and password in the query string – svManager doesn't work like that.

I definitely do not think you should hack the svManager security code – that's bound to get you (and me) in trouble somewhere down the line.

The only option I can think of is to spoof the svManager login form from within your cms. In principle that is easy. All you need to do in your cms is set two php variables:

$_POST['user'] = 'theusernamethatyousetinsvmanageradmin'
$_POST['password'] = 'the-PassWord_that!You$Set*In(svManager]Admin'

and then load one of the svManager pages.

Of course the form or whatever mechanism you use to set the post variables should only be accessible to valid logged-in cms users.

There is one major drawback with this approach – you need to store the user name and password somewhere on the server. And you need to store them in plain text – not encrypted. This is a BIG BIG security hole. It defeats the whole point of password encryption.

I wouldn't do it.

jack

Jack Hardie
SimpleViewer Support Team.

Re: Remove login password area

What is/are the session variables? So that I can assign them in my PHP page and auto-login a user essentially bypassing the login for svManager.

Re: Remove login password area

You don't need to set the session variables directly. If you set the user and password in the $_POST variable as suggested in the previous post then the correct session variables will be generated automatically. Generating the session variables yourself is more difficult, less secure and may not work with future versions of svManager. Just make sure you keep the unencrypted password somewhere safe!

jack

Jack Hardie
SimpleViewer Support Team.