Is it possible to change the admin url from /sitecore to anything else so that not anyone know the admin access url of site. If yes then how it can be done.
I don't recommend you to change admin url.
You can restrict access to Sitecore Client in different ways.
Please check official Sitecore document about restricting access to the Sitecore client interface.
https://doc.sitecore.net/sitecore_experience_platform/setting_up__maintaining/security_and_administration/access_rights/restrict_access_to_the_client
You should not change that URL. It will be better if you will split your environments into Content Delivery and Content Management.
Content Management should not be accessible for someone outside your company.
Content Delivery does not have /sitecore login page.
It means that if you will use correct architecture for your environment You will no have to change the url of login page.
Restricting access via IIS config is the way to go here, renaming the folder is not advised.
This might be what you're looking for:
https://community.sitecore.net/developers/f/8/t/2965
Add to your redirect in the .config file as mentioned in the link. And remove the old one.
Related
So, I have created a custom dashboard using Django. I want to access all the fields(activeplugins, active themes, wordpress version, etc) present in my wordpress dashboard and display it in my dashboard.
Wordpress doesn't have default REST endpoint to access admin related data such as plugins, themes. You will have to implement custom endpoint for that. Please refer wordpress devDoc for that. https://developer.wordpress.org/rest-api/extending-the-rest-api/adding-custom-endpoints/
I want to use Cognito for my WebExtension for Chromium and Firefox.
I have two problems.
1) Hosted UI from Cognito not at my domain - so users may think why:
For branding and security I want to host UI from Cognito on my domain. Because my product is the browser extension - I think that I can embed UI for login in iframe to the popup-ui (that shows if user push to the button of the extension).
2) Redirect after Google to the AWS - because of that user will see Choose an account to continue to amazoncognito.com but the correct text must be Choose an account to continue to <domain-of-my-project>:
Looks like this is not possible to redirect to my domain with saving automation of Cognito about exchanging of code from Google to access token from Google for getting email of user. In the documentation about domain for user pools mentioned only sub-sub-sub domain under amazoncognito.com. If this is not possible - would be useful to mention it in documentation.
Add customized domain is not available now. We have heard this request from multiple customers and would look into adding it into our future releases.
I'm confused about your second question, can you explain more about it?
With regards to your 2nd question. It's true that ideally you would want to be able to have a custom domain, but the fact google is showing amazoncognito.com is a problem with your configuration in your GCP account.
Under the API->Credentials tab in GCP console, you can adjust the product name and logo to be displayed. The problem is that you need to pass a review of your app before google starts showing them. This was changed by google after some phishing hacking attempts (https://developers.googleblog.com/2017/05/updating-developer-identity-guidelines.html).
To submit your app for a review: https://support.google.com/code/contact/oauth_app_verification
When I access my site that's being managed by Sitecore, it's redirecting me and asking for Sitecore credentials. I have no idea why but obviously the main site should be viewable to public without needing creds.
Thanks.
This could be from your sitecore cookie still in page editor mode, To fix this add this query string to your URL:
?sc_mode=normal
This will update your cookie and no reddirect to login anymore
Assuming that you have a combined CM/CD environment and that this is specific to your computer or other authors' computers, it is likely that Sitecore is picking up on the fact that you were using the Page Editor in a previous session. When you are using Page Editor Sitecore will drop a cookie called website#sc_mode and set it to "edit". If you return to the page with that cookie set it will push you to the Login Page as it things you are attempting to edit that page.
To resolve this try clearing your cookies or using a browser in Incognito mode/Private Browsing.
If this is happening to other users I would suggest following Martijn's advice in the other Answer and checking your site definition.
Check your site definitions in the web.config and/or the sites.config in the /app_config/include/ folder. Most of the times there is some misconfiguration there.
Check the security roles set on your site pages. If for some reason access has been denied to the 'extranet/anonymous' user you won't be able to browse without being authenticated.
I am developing an application using Django 1.4. When I log into admin site in another tab in the browser, the application interface in which I am already logged in automatically logs out. Please help me in solving this issue. The browser I am using is Firefox. Thanks in advance.
Admin is also a user in django. So, you can't have more than one user logged in at the same time in the same browser, can you? Try the same scenario on facebook. This is what it is. You re fine, there's no problem.
On the side note, if you are just getting started with your project use Django 1.5.
Well you cannot log into the same website with different login ids simultaneously until and unless you dont use some plugins for this feature or you are opening different ids in the incognito window.
Since admin is a superuser(still a user), hence you cannot open a multiple django accounts in the same browser. One account will be logged out in order to open the other one. This is no issue. Happy coding.
The Django admin site is just another page of your Django main website. Say if you have foo.com, then foo.com/admin/ shows you the admin portal.
And we already know that two users cannot be simultaneously logged in to the same website from the same browser.
So, you can test on your foo.com site, being an admin user itself. Experience on the Django website for any user will be same, it doesn't change with user being a staff member or superuser. Only admin site has different permissions based on these factors.
In this case, you'll be able to use both the main site, as well as admin portal.
But if you really want to use different user accounts for admin site and main site, then you should either use different browsers or Private window in Firefox.
Is it dangerous to have your admin interface in a Django app accessible by using just a plain old admin url? For security should it be hidden under an obfuscated url that is like a 64 bit unique uuid?
Also, if you create such an obfuscated link to your admin interface, how can you avoid having anyone find out where it is? Does the google-bot know how to find that url if there is no link to that url anywhere on your site or the internet?
You might want to watch out for dictionary attacks. The safest thing to do is IP restrict access to that URL using your web server configuration. You could also rate limit access to that URL - I posted an article about this last week.
If a URL is nowhere on the internet "the googlebot" can't know about it ... unless somebody tells it about it. Unfortunately many users have toolbars installed in their browser, which submit all URLs visited by the browser to various Servers (e.g. Alexa, Google).
So keeping an URL secret will not work in the long run.
Also an uuid is hard to remember and to type - leading to additional support ("What was the URL again?").
But I still strongly suggest to change the URL (e.g. to /myadmin/). This will foil automatic scanning and attack tools. So If one day an "great Django worm" hits the Internet, you have a much lower chance of being hit.
People using PHPmyAdmin had this experience for the last few years: changing the default URL avoids most attacks.
Whilst there is no harm in adding an extra layer of protection (an obfuscated url) enforcing good password choice (checking password strength and checking it's not in a large list of common passwords) would be a much better use of your time.
Assuming you've picked a good password, no, it's not dangerous. People may see the page, but they won't be able to get in anyway.
If you don't want Google to index a directory, you can use a robots.txt file to control that.