IPB Admin CP Annoyances

One thing I noticed and really despised whilst using IPB was that when you are logged into the admincp and if you login to the admincp on another PC using the same IP it will log you out right away.

Why is it like this? That was damn annoying!

 

I don't like the IPB adminCP because you have to click so many times just to get to one place.

 

Security reasons I'd imagine.

and what adminCP do you prefer to get to where you need to be with minimum clicks? vBulletin's AdminCP is beyond worse then IPB 3

 

It is a bloody big problem when you have two admins on the same IP working on the same site, it may be intuitive but this security feature was a damn nightmare.

 

Hello,

You can easily switch this off. Edit initdata.php (this is found in the root forum folder)

You'll want:

PHP:

/**
* Allow IP address matching when dealing with ACP sessions
* @since 2.2.0.2006-06-30
*/
define( 'IPB_ACP_IP_MATCH', 0 );

It's a security feature so that if you accidentally pasted your ACP URL anywhere (over AIM, IRC, etc) others wouldn't be able to use your session ID to log in.

 

But that would leave you open to someone gaining access? I am sure in vbulletin that if you pasted your forums admincp URL over msn the recipient couldnt gain access like this.

 

I'm not familiar with vB's admin CP.

We chose to not use cookies when dealing with the ACP as that leaves you open to XSS attacks. For example, a malicious user could post an 'image' which is actually a PHP script that redirects your browser to the ACP and performs an action, say deleting all forums.

Using an inline session key removes that as the hacker would need to know your session key in use at the time you browsed the board which is almost impossible to determine.

We chose to tie this session to an IP address by default for further protection. If you chose to switch off IP address matching and pasted a URL, then the recipient of that link will have access until the session is set to expire.

 

Thats a shame. If only it was the same as vbulletin as im sure they must do it differently and are also protected.

 

Session to IP is coded into a lot of things. GMail, Yahoo! Mail, Live, Live/MSN Messenger, AIM, YIM, and even Skype. It's for security reasons. These programs also give a popup telling you that another computer has signed into the service using your credentials. IIRC it also gives you the option to kick the other session off so you can continue doing whatever it was you were doing.

 

Don't even get me started on the IPB administrator annoyances, but yes, this is one of those. Even in a new tab, you've still got to login, rather than having the system remember you. Use a cookie, use a session, secure the system PROPERLY against attacks!

vBulletin's admin interface literally owns IPB's admin interface. Everything is right where it's supposed to be, not spread all over hell and back. With IPB you have to search countless links for something, with vB3, you're there, you're just there. Click on Options and you can configure any vBulletin options

Not really 'intuitive'. Most people seem to think security is worth losing users over, but it's not. In this case, it's an annoyance that can be worked around, but it is, in fact, an annoyance.