How CARL Handles Admin Authentication

CARL's admin panel is protected by a straightforward session-based login system. Username and password are verified against a single admin account stored in the database, and access is blocked at the PHP level on every admin page until a valid session exists.

The Login Process

When you submit your credentials at admin/login.php, CARL queries the database for a matching username and verifies the submitted password against the stored bcrypt hash using PHP's password_verify(). If verification passes, PHP regenerates the session ID before writing the authenticated session flag. This prevents session fixation attacks, where an attacker who obtained a pre-login session ID could try to use it after authentication.

On every successful login, CARL also silently refreshes your license token against the licensing server. If the license has been revoked (trial expired), the session is destroyed immediately and login is blocked. If the licensing server is unreachable, the grace period stored in the local auth file covers continued access so a temporary network issue doesn't lock you out of your own site.

Session Protection on Every Admin Page

Every admin page calls requireLogin() at the top of the file. If no valid authenticated session exists, the visitor is redirected to the login page immediately, before any admin content is rendered or any admin action is executed. There is no admin page that can be accessed without a valid session, and there is no way to bypass this check by manipulating the URL.

CSRF Protection

Every form in the CARL admin includes a CSRF token, a 64-character random hex string generated by PHP's random_bytes() and stored in the session. When a form is submitted, CARL verifies the submitted token against the session token using hash_equals(), which prevents timing attacks. Any POST request that arrives without a valid matching token is rejected with a 403 before any action is taken. AJAX requests can pass the token via the X-CSRF-Token header instead of a form field.

The Single Admin Account

CARL operates with one admin account. There's no user roles system, no multi-admin setup, and no permission levels to manage. The admin account username and password are set during installation and can be changed at any time from inside the admin panel. For the password change process, see How to change your CARL admin password.

No Public Login Page Exposure

Unlike WordPress, CARL has no well-known login URL that automated scanners can target. The admin directory lives at /admin/ on your server, which you can rename or restrict via .htaccess if you want an additional layer of obscurity. The login page has no username enumeration vulnerability: the same error message is returned whether the username doesn't exist or the password is wrong, so there's no way to confirm valid usernames through trial submissions.