ComusThumbz Documentation
HTML Markdown Print/PDF Plain Text
Admin Login

Documentation Menu


Admin Access

Logged In

Admin Login Page - User Guide

Page Location: ct/admin/ctlogin.php
Menu Path: Direct URL access (login gateway)
Access Level: Public (authentication page)
Last Updated: 2026-01-01

Overview

The Admin Login page is the secure entry point to the ComusThumbz administration panel. It provides password-based authentication with advanced security features including rate limiting, brute force protection, and automatic password hash upgrades. This is the first page administrators see when accessing the backend.

[Screenshot: ctlogin-full-page]

Getting to This Page

Access the login page directly via your browser:

  • URL Pattern: https://yourdomain.com/ct/admin/ctlogin.php
  • Alternate: https://yourdomain.com/ct/admin/ (redirects to ctlogin.php if not authenticated)

 

 

Note:
If you're already logged in, accessing this page automatically redirects you to the main dashboard.

 

System Requirements

 

Configuration Required:
This page requires the following system dependencies to function properly.

 

PHP Requirements

Requirement Minimum Recommended Notes
PHP Version 8.0 8.3+ Required for passwordhash() with modern algorithms
memorylimit 32M 64M Minimal memory requirements
maxexecutiontime 30 60 Standard timeout sufficient

Required PHP Extensions

Extension Required Purpose
mysqli Yes Database connectivity
session Yes Session management for login state
openssl Recommended Secure password hashing algorithms

Required PHP Functions

Function Required For Notes
sessionstart() Session management Must not be disabled
passwordhash() Secure password storage PHP 5.5+ built-in
passwordverify() Password validation PHP 5.5+ built-in
passwordneedsrehash() Auto-upgrade old hashes PHP 5.5+ built-in
setcookie() Legacy session cookies Must not be disabled
sleep() Brute force delay Used for 1-second delay on failed login

Folder Permissions

Folder Path Permission Owner Purpose
/ct/logs/ 775 www-data Error and security logging

Server Requirements

Component Requirement
Web Server Apache 2.4+ with modrewrite OR Nginx
Database MySQL 5.7+ / MariaDB 10.3+
HTTPS Strongly recommended for secure password transmission

Installation Requirements

This section documents everything the install script needs to set up this page correctly.

Database Tables

Table Name Required Default Data Notes
tblSettings Yes Yes (row id=1) Stores admin password, site settings
tblLogs Yes No Login attempt logging
tblCMSRateLimits Yes No Rate limiting data

<details> <summary>SQL: Create Tables</summary>

-- Settings table (must have id=1 row with adminpassword)
-- Note: tblSettings has many columns - key ones for login:
CREATE TABLE IF NOT EXISTS tblSettings (
    id int(11) NOT NULL AUTOINCREMENT,
    adminpassword varchar(255) NOT NULL,
    version varchar(20) NOT NULL DEFAULT '1.0',
    sitename varchar(100) NOT NULL DEFAULT 'ComusThumbz',
    logins int(10) NOT NULL DEFAULT 0,
    -- ... other settings columns ...
    PRIMARY KEY (id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4unicodeci;

-- Insert default settings row if not exists
INSERT INTO tblSettings (id, adminpassword, version, sitename, logins)
VALUES (1, 'changeme', '1.0', 'ComusThumbz', 0)
ON DUPLICATE KEY UPDATE id = id;

-- Logs table for tracking login attempts
CREATE TABLE IF NOT EXISTS tblLogs (
id int(10) unsigned NOT NULL AUTOINCREMENT,
ip varchar(20) NOT NULL DEFAULT '',
date datetime NOT NULL,
status varchar(30) NOT NULL DEFAULT '',
type varchar(50) NOT NULL DEFAULT '',
info varchar(200) NOT NULL DEFAULT '',
email varchar(100) NOT NULL DEFAULT '',
WebmasterID int(10) unsigned DEFAULT NULL,
WebmasterSiteID int(10) unsigned DEFAULT NULL,
PRIMARY KEY (id),
KEY WebmasterID (WebmasterID),
KEY WebmasterSiteID (WebmasterSiteID)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4unicodeci;

-- Rate limiting table for brute force protection
CREATE TABLE IF NOT EXISTS tblCMSRateLimits (
id int(11) NOT NULL AUTOINCREMENT,
identifier varchar(255) NOT NULL,
action varchar(100) NOT NULL,
attempts int(11) DEFAULT 0,
windowstart timestamp NULL DEFAULT NULL,
blockeduntil timestamp NULL DEFAULT NULL,
PRIMARY KEY (id),
KEY identifier (identifier),
KEY windowstart (windowstart),
KEY blockeduntil (blockeduntil)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4unicodeci;

 

</details>

Config Settings (dat/config.inc.php)

Variable Type Default Description
$dbhost string localhost Database server hostname
$dbuser string - Database username
$dbpasswd string - Database password
$db string - Database name
Warning: The admin password is stored in tblSettings.adminpassword, NOT in config.inc.php. This allows secure hashing and database-level storage.

File Dependencies

File Path Dependency Type Required Notes
ct/dat/config.inc.php Require Yes Database connection credentials
ct/includes/security/RateLimiter.php Require Yes Brute force protection
ct/logs/php-error.log Write Yes Error logging destination

Folders Required

Folder Path Permission Created By Notes
ct/logs/ 775 Install Script Error and security logging
ct/includes/security/ 755 Install Script Security class files

External Dependencies

This page has no external service dependencies.

Install Script Checklist

  • [ ] Database tables created (tblSettings, tblLogs, tblCMSRateLimits)
  • [ ] Default settings row inserted with id=1
  • [ ] Initial admin password set in tblSettings.adminpassword
  • [ ] ct/logs/ folder created with write permissions
  • [ ] RateLimiter.php in ct/includes/security/

Page Layout

[Screenshot: ctlogin-annotated-layout]

Page Elements

# Element Description
1 Logo Area ComusThumbz branding with icons and tagline
2 Login Container White card containing the login form
3 Header Icon Lock icon indicating secure login
4 Page Title "Admin Login" heading
5 Site Name Displays configured site name from database
6 Error Message Red alert box (only shows on failed login)
7 Password Field Password input with key icon
8 Sign In Button Green gradient button to submit login
9 Version Info Shows current software version
10 Footer Copyright and link to ComusThumbz website

Features & Functions

Password Authentication

The login system supports both modern hashed passwords and legacy plain-text passwords for backward compatibility.

Authentication Flow:

  1. User enters password and submits form
  2. System checks if IP is rate-limited (blocked)
  3. If not blocked, retrieves admin password from tblSettings
  4. Checks if stored password is a hash or plain text:
  • Hashed: Uses passwordverify() for secure comparison
  • Plain text: Direct string comparison (legacy mode)
  1. On success:
  • Upgrades plain text passwords to secure hashes automatically
  • Sets session variables for authentication
  • Sets legacy cookies for backward compatibility
  • Resets rate limiter for the IP
  • Logs successful login
  • Redirects to main.php
  1. On failure:
  • Records attempt in rate limiter
  • Logs failed attempt
  • Shows error message with remaining attempts
  • Adds 1-second delay to slow brute force attacks

 

Tip:
The system automatically upgrades plain-text passwords to secure bcrypt hashes on successful login. You don't need to manually update old passwords.

 

Rate Limiting / Brute Force Protection

The login page includes comprehensive protection against brute force attacks:

Setting Value Description
Max Attempts 5 Failed attempts before lockout
Lockout Duration 15 minutes Time until attempts reset
Sliding Window 15 minutes Time window for counting attempts

How it works:

  1. Each failed login attempt is recorded with IP address
  2. After 5 failed attempts within 15 minutes, IP is blocked
  3. Blocked IPs see a countdown message
  4. Successful login resets the counter for that IP
  5. Old records are automatically cleaned up (1% probability per request)

 

Warning:
If you lock yourself out, you must wait 15 minutes or directly delete records from tblCMSRateLimits table.

 

Session Management

On successful login, the following session variables are set:

Variable Value Purpose
$SESSION['loggedin'] true Primary authentication flag
$SESSION['userloggedin'] true Backward compatibility flag
$SESSION['logintime'] time() Session start timestamp
$SESSION['ipaddress'] Client IP Security tracking

Legacy Cookies Set:

Cookie Value Purpose
login authenticated Legacy system integration
level 1 Admin level indicator
prefoptions 74 ones Full permission string

Login Logging

All login attempts are logged to tblLogs:

Field Success Value Failure Value
ip Client IP Client IP
date Current datetime Current datetime
status "Success" "Failure"
type "Login" "Login"
info "Admin Login Attempt" "Admin Login Attempt"

Version Check

You can check the software version without logging in:

  • URL: ctlogin.php?action=ver
  • Response: Version: X.X.X

 

Step-by-Step Usage

Logging In

  1. Navigate to https://yourdomain.com/ct/admin/ctlogin.php
  2. Enter your admin password in the password field
  3. Click the Sign In button
  4. If successful, you'll be redirected to the dashboard

[Screenshot: ctlogin-password-entry]

Handling Failed Logins

If you enter the wrong password:

  1. An error message appears showing remaining attempts
  2. After 5 failed attempts, you'll be locked out for 15 minutes
  3. Wait for the lockout to expire, or:
  • Access the database directly
  • Delete records from tblCMSRateLimits for your IP

[Screenshot: ctlogin-error-message]

Recovering from Lockout

If you're locked out due to too many failed attempts:

Option 1: Wait

  • The lockout expires automatically after 15 minutes
  • The countdown is shown in the error message

 

Option 2: Database Reset

-- Find and delete rate limit records for your IP

DELETE FROM tblCMSRateLimits

WHERE identifier = 'YOUR.IP.ADDRESS'

AND action = 'adminlogin';

 

Option 3: Reset All Rate Limits

-- Clear all rate limiting (use with caution)

TRUNCATE TABLE tblCMSRateLimits;

 

Changing the Admin Password

The admin password is stored in tblSettings:

-- Set a new plain-text password (will be auto-hashed on next login)
UPDATE tblSettings SET adminpassword = 'yournewpassword' WHERE id = 1;

-- Or set a pre-hashed password (more secure)
UPDATE tblSettings SET adminpassword = '$2y$10$...' WHERE id = 1;

 

 

Tip:
If you set a plain-text password, it will be automatically converted to a secure hash the next time you log in successfully.

 

Troubleshooting

Common Errors

Error Message Cause Solution
"Invalid password. You have X attempts remaining." Wrong password entered Double-check your password; verify in database if forgotten
"Too many failed login attempts. Please try again in X minutes." Rate limit triggered Wait for lockout to expire or clear tblCMSRateLimits
"Database connection failed" Cannot connect to MySQL Verify config.inc.php credentials; check MySQL service
"Error: Could not fetch settings from database" tblSettings missing or empty Run installation SQL to create settings row

Login Not Working

Problem: Correct password doesn't work.

Solutions:

  1. Verify password in database:

 

SELECT adminpassword FROM tblSettings WHERE id = 1;

 

  1. If it's a hash, try resetting to plain text temporarily
  2. Check if rate limiting is blocking you (look in tblCMSRateLimits)
  3. Verify session is working (check php.ini session settings)

 

Session Not Persisting

Problem: Login succeeds but you're immediately logged out.

Solutions:

  1. Check PHP session configuration:

 

phpinfo(); // Look for session settings

 

  1. Verify session save path is writable
  2. Check for cookie domain issues (localhost vs domain)
  3. Clear browser cookies and try again

 

Lockout Recovery

Problem: Locked out and can't remember how long to wait.

Solution:

-- Check when you'll be unblocked

SELECT identifier, blockeduntil,

       TIMESTAMPDIFF(MINUTE, NOW(), blockeduntil) as minutesremaining

FROM tblCMSRateLimits

WHERE action = 'adminlogin'

AND blockeduntil > NOW();

 

Security Best Practices

 

Warning:
CRITICAL: Always use HTTPS for the admin login page to prevent password interception.

 

  1. Use Strong Passwords
  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Avoid dictionary words
  1. Monitor Login Logs
  • Regularly check tblLogs for failed attempts
  • Watch for patterns indicating attacks
  • Consider implementing IP whitelisting if needed
  1. Keep Software Updated
  • Password hashing algorithms are regularly improved
  • Updates may include security fixes
  1. Rename or Protect Admin Path
  • Consider using .htaccess to add extra authentication layer
  • Use IP whitelisting for admin access if possible
  • Admin Dashboard (ct/admin/main.php) - Main admin interface after login
  • System Logs (ct/admin/logs.php) - View all login attempts
  • Settings (ct/admin/config.setup.php) - Configure site settings

Translatable Strings

The following text strings appear in this page and should be added to backend_translations.md:

Page Elements

  • "Admin Login"
  • "COMUSTHUMBZ"
  • "High Powered Website Automation"
  • "Password"
  • "Enter your password"
  • "Sign In"
  • "Version"

Error Messages

  • "Invalid password. You have X attempts remaining."
  • "Invalid password. Too many failed attempts."
  • "Too many failed login attempts. Please try again in X."
  • "Database connection failed:"
  • "Error: Could not fetch settings from database"

Time Formatting

  • "second" / "seconds"
  • "minute" / "minutes"
  • "hour" / "hours"

Changelog

Date Version Changes
2026-01-01 1.0 Initial guide created
2025-10-27 - Rate limiting system added

Related Pages