Patrick's CMS

Cookies used

superMicro CMS sets 3 cookies, all set or deleted in /admin/top.php.

(1) test_cookie_4wxyz with the value of either installed_sec (secure) or installed_ins (insecure).

(2) superMicro_4wxyz with the value of the salted and hashed admin password.

(3) adminlink_4wxyz with the value of either loggedin_sec (secure) or loggedin_ins (insecure).

Usually the cookies are secure. 4wxyz is an example of the unique site ID (created per site) for additional security and to distinguish one site from another if more than one site is installed on the same domain.

The test cookie tests whether cookies are enabled and working. It is set each time an admin page is viewed and lasts for an hour.

The superMicro login cookie is set only if the test cookie exists and login is valid. It is not required to log in to admin but allows a logged-in user to view a succession of admin pages without having to continually log in for each page.

The adminlink cookie is set when a user logs in to admin. It results in an 'Edit' link on the public navigation bar but only for a logged-in user. The link is never visible to anyone else and lasts for an hour.

Regardless of the set duration of the three cookies, they are all deleted on logout. No cookies then exist. They are all set in admin, therefore no cookies are sent to normal visitors and nothing is stored for subsequent visits. That is why there is no "approve" or "reject" cookies routine.

/admin/top.php

  • 1. PREPARATORY
  • Include './functions.php' and if it exists, /inc/settings.php
  • Get the site ID and add it to the three cookie names.
  • Section to get the domain and enable secure cookies.
  • Set cross-platform PHP_EOL constant (for 'explode') for backwards compatibility.
  • Login form action fix for empty PHP_SELF (all admin).
  • Get the salted and hashed password and the salt.
  • Get the admin directory for the login cookie path.
  • Get status for if logged in (logout sets address bar 'status' as 'logout', all admin)
  • 2. IF LOGIN FORM SUBMITTED
  • Check test cookie then set login cookie to avoid repeated logins
  • 3. IF LOGIN FORM NOT SUBMITTED, NORMAL RUNNING
  • Set test cookie.
  • Check if a login cookie exists then check the cookie to determine if logged in or not.
  • 4. IF LOGOUT SUBMITTED OR LOGIN ATTEMPT BY UNVERIFIED USER
  • Delete all cookies.
  • Set login to false.
  • 5. LOGIN/LOGOUT (REGARDLESS OF STATUS)
  • Check login status. If logged out, do login form footer (needs domain), otherwise set adminlink cookie for 'Edit' link in navigation menu.
  • 6. TESTS
  • // Uncomment for tests output (after all cookies set or deleted).

The exact order of the above is tricky.

Information

Page last modified: 20 May, 2023