When getting email of bad login access attempts (IIS server) the message comes out like

----------------
Currently Some User has try to access the administrator from following IP:mysite.causing Key:wrongKey
----------------
(Blank Key: if they try /administrator/ alone)

Now I would think that IP would have the intruders address not just the domain that would already be known from the email subject if set or mailed "from" site address? Lesser plug-ins I have used were able to get IP's no problem so I expect something not set right?


* A note for people testing if JSecure is working in firefox 3+. There appears to be some sort of hidden URL/session cache system in firefox. As often even after clearing all caches, history, forms etc. and restarting firefox trying to intentionally use ?fakekey or /administrator/ will still get you the login page.

The only way to test without using a different firefox profile or using a different browser is to use "Private Mode" when firefox keeps bringing up the correct login page when it should not (even without clearing caches and restarting this will work).

Lastly should line 34 in jsecure.php have the period?

$path .= $params->get....

We regret the delay on replying to this post. We will look into this ASAP and report back.

Hi,

We will add the change in next version to display the IP in the mail.
Can you log out with system and check again to access of administrator with same browser?

Thanks and Regards,
Bhavin Shah

First off, any information on if the period before the equals should be on line 34 of jsecure.php ?

$path .= $params->get_______


Below is still not something that needs fixing as it probably has nothing to do with jsecure code itself.

But is something that people trying to test it, should be aware of.

In short jsecure works perfectly fine in this regards as it only effects people that "already know" the correct login key. It will always block unwanted attempts.

Had a bit of time to do some testing again and after trying 4 different computers with differing settings from more secure to default browser settings. The same things happen with either v1.08 I had previously used and v.2.

I found that on the odd occasion when the website is running on a *windows IIS server*,firefox 3+ would for some reason continue to show the correct admin login page when trying to use a ?wrongkey or on firefox 3+,IE 7-8, safari when trying direct yoursite.com/administrator/ "IF" you had previously used your correct key in the current browser session (on 1 computer it would do it even after clearing all caches and restarting the browser half the time).

Now on my 'nix' *xammp server*; firefox 3+, IE7-8 and Safari would never allow ?wrongkey to work but using direct yoursite.com/administrator/ would often work AFTER you have successfully loaded the admin login page during the -current browser session only-.

But closing the browser and clearing caches, history etc. and re-opening the browser to test trying to load the admin page without the correct method and key would always block the attempt if done before a correct ?key is used.

Even simpler for either type of server (IIS or *Nix) when testing, just use your browsers Private Mode for a minute and you can always find if you have jsecure working correctly.

Lastly, I am glad to hear that a future version will show the intruders IP so I can deal with them if needed and not have to go searching through raw logs.

have a nice day everyone,

Hi,

Thanks for reply.

We will look at our code and will add changes as per your suggestion.

Thanks and Regards,
Bhavin Shah