Feature Requests
Share ideas, discuss and vote on requests from other users in community
 

Make Password Request on Adminarea Optional in Config

scysys shared this idea 1 year ago
Declined

Make the Password requests in WHMCS Admin Area optional in Options.

WHMCS requests admin Password on areas like: configgeneral.php

Usability is = 0

Think about it and make optional.

That think does not improve the security overall!

Comments (5)

photo
1

I fully agree.

All it does is low us down and annoy

photo
1

They are not interested. Also asked over Support Tickets. No interest in usability at all. They also are not willing to change this stupid thing when we Pay for it.

photo
photo
1

I agree. It's one of the most useless features. Please make it optional.

photo
1

Hi,

Thanks for submitting this feature request. I can assure you that we are very interested in customer feedback and suggestions, they form one of the main ways in which we plan the future road-map of the software. However due to the number of requests we receive (sometimes conflicting) it isn't possible to implement every idea.

I'd like to take a moment to explain a little about why this additional password check was implemented within the admin area, and why we do not intend to remove it. Even if you still don't agree with our decision, hopefully it will at-least make the reasons for implementing it clearer.

Adding the password prompt when accessing system setting pages introduces a check and balance which delineates between using the admin area in a day-to-day way and the occasional actions of changing configurations. It also adds a level of proactive prevention against theoretical privilege elevation attacks, and a staff member accidentally leaving an active admin session on a publicly accessible computer. Security is always our top priority.

The obtrusiveness of the admin password prompt is reduced by:

  • Only being required when accessing sections of the admin area related to making configuration settings; pages which are not typically accessed on a daily basis.
  • Only being required again if accessing a protected page more than 15 minutes after the last.

I trust you find that explanation insightful. Thanks for your continued custom and please do keep suggesting and voting on other ideas!

photo
1

As I've previously stated in another comment. Let us decide how to run our business and let us choose to enable this functionality or disable it or at least control how long between having to enter the password. It's horribly frustrating when you are busy working on something, switch to a different area to make a modification, then have to come back and enter that information again. It's cumbersome and slows down productivity.