ComusThumbz Dokumentation
HTML Markdown Drucken/PDF Klartext
Admin-Anmeldung

Dokumentationsmenü


Admin-Zugang

Starting Out

 Admin Login Page - User Guide

Page Location: ct/admin/ctlogin.php
Menu Path: Direct URL access (login gateway)
Access Level: Public (authentication page)
Last Updated: 2026-01-01

Overview

The Admin Login page is the secure entry point to the ComusThumbz administration panel. It provides password-based authentication with advanced security features including rate limiting, brute force protection, and automatic password hash upgrades. This is the first page administrators see when accessing the backend.

[Screenshot: ctlogin-full-page]

Getting to This Page

Access the login page directly via your browser:

  • URL Pattern: https://yourdomain.com/ct/admin/ctlogin.php
  • Alternate: https://yourdomain.com/ct/admin/ (redirects to ctlogin.php if not authenticated)
Note:
If you're already logged in, accessing this page automatically redirects you to the main dashboard.

System Requirements

Configuration Required:
This page requires the following system dependencies to function properly.

PHP Requirements

Requirement Minimum Recommended Notes
PHP Version 8.0 8.3+ Required for passwordhash() with modern algorithms
memorylimit 32M 64M Minimal memory requirements
maxexecutiontime 30 60 Standard timeout sufficient

Required PHP Extensions

Extension Required Purpose
mysqli Yes Database connectivity
session Yes Session management for login state
openssl Recommended Secure password hashing algorithms

Required PHP Functions

Function Required For Notes
sessionstart() Session management Must not be disabled
passwordhash() Secure password storage PHP 5.5+ built-in
passwordverify() Password validation PHP 5.5+ built-in
passwordneedsrehash() Auto-upgrade old hashes PHP 5.5+ built-in
setcookie() Legacy session cookies Must not be disabled
sleep() Brute force delay Used for 1-second delay on failed login

Folder Permissions

Folder Path Permission Owner Purpose
/ct/logs/ 775 www-data Error and security logging

Server Requirements

Component Requirement
Web Server Apache 2.4+ with modrewrite OR Nginx
Database MySQL 5.7+ / MariaDB 10.3+
HTTPS Strongly recommended for secure password transmission

Installation Requirements

This section documents everything the install script needs to set up this page correctly.

Folders Required

Folder Path Permission Created By Notes
ct/logs/ 775 Install Script Error and security logging
ct/includes/security/ 755 Install Script Security class files

Page Layout

[Screenshot: ctlogin-annotated-layout]

Page Elements

# Element Description
1 Logo Area ComusThumbz branding with icons and tagline
2 Login Container White card containing the login form
3 Header Icon Lock icon indicating secure login
4 Page Title "Admin Login" heading
5 Site Name Displays configured site name from database
6 Error Message Red alert box (only shows on failed login)
7 Password Field Password input with key icon
8 Sign In Button Green gradient button to submit login
9 Version Info Shows current software version
10 Footer Copyright and link to ComusThumbz website

Features & Functions

Password Authentication

The login system supports both modern hashed passwords and legacy plain-text passwords for backward compatibility.

Authentication Flow:

  1. User enters password and submits form
  2. System checks if IP is rate-limited (blocked)
  3. If not blocked, retrieves admin password from tblSettings
  4. Checks if stored password is a hash or plain text:

   - Hashed: Uses passwordverify() for secure comparison    - Plain text: Direct string comparison (legacy mode)

  1. On success:

   - Upgrades plain text passwords to secure hashes automatically    - Sets session variables for authentication    - Sets legacy cookies for backward compatibility    - Resets rate limiter for the IP    - Logs successful login    - Redirects to main.php

  1. On failure:

   - Records attempt in rate limiter    - Logs failed attempt    - Shows error message with remaining attempts    - Adds 1-second delay to slow brute force attacks

Tip:
The system automatically upgrades plain-text passwords to secure bcrypt hashes on successful login. You don't need to manually update old passwords.

Rate Limiting / Brute Force Protection

The login page includes comprehensive protection against brute force attacks:

Setting Value Description
Max Attempts 5 Failed attempts before lockout
Lockout Duration 15 minutes Time until attempts reset
Sliding Window 15 minutes Time window for counting attempts

How it works:

  1. Each failed login attempt is recorded with IP address
  2. After 5 failed attempts within 15 minutes, IP is blocked
  3. Blocked IPs see a countdown message
  4. Successful login resets the counter for that IP
  5. Old records are automatically cleaned up (1% probability per request)

Step-by-Step Usage

Logging In

  1. Navigate to https://yourdomain.com/ct/admin/ctlogin.php
  2. Enter your admin password in the password field
  3. Click the Sign In button
  4. If successful, you'll be redirected to the dashboard

[Screenshot: ctlogin-password-entry]

Handling Failed Logins

If you enter the wrong password:

  1. An error message appears showing remaining attempts
  2. After 5 failed attempts, you'll be locked out for 15 minutes
  3. Wait for the lockout to expire, or:

   - Access the database directly    - Delete records from tblCMSRateLimits for your IP

[Screenshot: ctlogin-error-message]

Recovering from Lockout

If you're locked out due to too many failed attempts:

Wait

  • The lockout expires automatically after 15 minutes
  • The countdown is shown in the error message

Troubleshooting

Common Errors

Error Message Cause Solution
"Invalid password. You have X attempts remaining." Wrong password entered Double-check your password; verify in database if forgotten
"Too many failed login attempts. Please try again in X minutes." Rate limit triggered Wait for lockout to expire or clear tblCMSRateLimits
"Database connection failed" Cannot connect to MySQL Verify config.inc.php credentials; check MySQL service
"Error: Could not fetch settings from database" tblSettings missing or empty Run installation SQL to create settings row

Login Not Working

Problem: Correct password doesn't work.

Solutions:

  1. Verify password in database:
   SELECT adminpassword FROM tblSettings WHERE id = 1;
  1. If it's a hash, try resetting to plain text temporarily
  2. Check if rate limiting is blocking you (look in tblCMSRateLimits)
  3. Verify session is working (check php.ini session settings)

Session Not Persisting

Problem: Login succeeds but you're immediately logged out.

Solutions:

  1. Check PHP session configuration:
   phpinfo(); // Look for session settings
  1. Verify session save path is writable
  2. Check for cookie domain issues (localhost vs domain)
  3. Clear browser cookies and try again

Lockout Recovery

Problem: Locked out and can't remember how long to wait.

Solution:

-- Check when you'll be unblocked

SELECT identifier, blockeduntil,

       TIMESTAMPDIFF(MINUTE, NOW(), blockeduntil) as minutesremaining

FROM tblCMSRateLimits

WHERE action = 'adminlogin'

AND blockeduntil > NOW();

Security Best Practices

Warning:
CRITICAL: Always use HTTPS for the admin login page to prevent password interception.
  1. Use Strong Passwords

   - Minimum 12 characters    - Mix of uppercase, lowercase, numbers, symbols    - Avoid dictionary words

  1. Monitor Login Logs

   - Regularly check tblLogs for failed attempts    - Watch for patterns indicating attacks    - Consider implementing IP whitelisting if needed

  1. Keep Software Updated

   - Password hashing algorithms are regularly improved    - Updates may include security fixes

  1. Rename or Protect Admin Path

   - Consider using .htaccess to add extra authentication layer    - Use IP whitelisting for admin access if possible

Changelog

Date Version Changes
2026-01-01 1.0 Initial guide created
2025-10-27 - Rate limiting system added

Related Pages