hi all :)

I was wondering: say you have a website with an online admin panel. It's quite obvious to login to it over here: .../admin/login.php
In case you want to hide this admin section, is it safe to give it a less obvious name? like .../adminios/loginhere.php
> can one find the /adminios/ -folder with the aid of some tool? (and I presume there is no link from the site itself to the /adminios/ -folder)

:rolleyes:

why would you need to hide the login page?

if you do go hiding that then you'll proberly find an admin cannot find it and complains which causes loads of problems.

the best thing to do is create an admin page (using PHP or CGI...) create a login page and such, then whenever you open up admin.php (or .pl or .cgi or .asp ect.) you'll get a login page, from then on every page is included by admin.php (or whatever you called it), with this you can then include any files you see as being apropriate after a quick permisions check:

in PHP:
<?
session_start();
if(isset($_POST['login'])){
// process the login.
}elseif(isset($_SESSION['Admin'])){
include $_GET['s'];
}else{
echo("your not logged in, use the form bellow to login then try again.");
};
?>

I assume since it's .php, it's already a secure login. I agree that it will probably just cause more problems but as long as the admins are intelligent it should increase security slightly, since the only way to find these pages is by trying every permutation; there are tools available that do this, but since an HTTP transaction is required for every try, it's a time consuming attack.