Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

wd's avatar
wd
OP
5 years ago
Level 1

login and register URL

Hi, I'm currently setting up a site with an administrator part and my concern is how to change the name of my URLs (/login,/register), because LARAVEL is popular and a foreign person can access it if he knows the way. thanks

0 likes
15 replies
laracoft's avatar

Remove Auth::route() from web.php and use the following instead

        // Authentication Routes...
        $this->get('login', 'Auth\LoginController@showLoginForm')->name('login');
        $this->post('login', 'Auth\LoginController@login');
        $this->post('logout', 'Auth\LoginController@logout')->name('logout');

        // Registration Routes...
        if ($options['register'] ?? true) {
            $this->get('register', 'Auth\RegisterController@showRegistrationForm')->name('register');
            $this->post('register', 'Auth\RegisterController@register');
        }

        // Password Reset Routes...
        if ($options['reset'] ?? true) {
            $this->resetPassword();
        }

        // Email Verification Routes...
        if ($options['verify'] ?? false) {
            $this->emailVerification();
        }

Above code is from vendor\laravel\framework\src\Illuminate\Routing\Router.php

msaied's avatar

@wd best thing is to group them with prefix like just change the word 'secret'

Route::prefix('secret')->group(function () {
	Auth::route()
});

so you can enter to URL like

https://example.com/secret/login
wd's avatar
wd
OP
5 years ago
Level 1

sorry I forgot to mention that I use LARAVEL 8

Snapey's avatar

obscurity IS NOT security

1 like
wd's avatar
wd
OP
5 years ago
Level 1

what do you advise me?

laracoft's avatar

@snapey yes sir, but if i keep changing /secret/ i feel "safe" enough knowing that ex-employees have to first figure out /secret/ before being able to brute force username and passwords. also, it's good enough that there isn't a single pattern that hackers can target if they know a site to be on Laravel.

End of the day, it is the hashed password that is protecting us.

laracoft's avatar

@wd i think you are pretty "safe" by changing /secret/ regularly.

automica's avatar
automica
5 years ago
Best Answer
Level 54

theres little point in having a custom route prefix for register or login as you'll be providing a link to these anyway, so changing these won't stop bots or 'unsolicited users' from accessing and attempting either.

Laravel is already using ThrottlesLogins trait to rate limit abuse of login form.

You might benefit from adding recaptcha to your registration form and enforce a 'click to verify email' process to prevent people immediately logging in and abusing your sites internals.

Other than that, add a special status for new user, and limit what they can do in the first day/ hour etc, and that will give you time to approve the new users via an admin process, if need be.

laracoft's avatar

@automica you make a convincing case 👍 but still a little useful for registration right? It should cut some fake registrations by quite a bit.

automica's avatar

@laracoft if you get 'fake' registrations filled out by people, I'm sure they'll be able to follow a text link to 'register'. it might cut down a bit of noise, but best way is to stop people getting in is to make sure your locks are good.

BTW I frequently see 'wp-login.php' in the logs for a few of the sites we host. why that link hasn't ever changed, amazes me.

Please or to participate in this conversation.