Accessing Magento 2 Admin Without a Password: A Practical Guide

Accessing Magento 2 Admin Without a Password: A Practical Guide

Learn how to securely access your Magento 2 admin panel without a password using a practical root script method. Ideal for developers and testers, this step-by-step guide walks you through creating and executing a temporary admin login script—perfect for password recovery or quick backend access in non-production environments.

Accessing Magento 2 Admin Without a Password: A Practical Guide

If you're locked out of your Magento 2 admin panel and traditional recovery methods aren't working, using a root script can help you regain access. This method is particularly useful during development or for educational purposes. However, it's important to note that using this script in a live environment poses significant security risks.

Why Use a Root Script to Access Magento 2 Admin?

There are several scenarios where this approach is beneficial:

  • Password Recovery: When standard recovery options fail.
  • Development and Testing: To quickly access the admin panel without dealing with passwords.
  • Learning and Experimentation: To understand Magento's authentication mechanisms.

Remember, this method should only be used in a controlled environment.

Creating the Root PHP Script

  • Navigate to the Root Directory: Go to your Magento 2 installation's root directory.
  • Create the Script File: Create a new PHP file, e.g., adminLogin.php.
  • Insert the Script: Paste the following code into the file:
  • <?php

    use Magento\Framework\App\Bootstrap;

    require __DIR__ . '/../app/bootstrap.php';

    class AdminLoginApp extends \Magento\Framework\App\Http implements \Magento\Framework\AppInterface {

    public function launch() {

    $areaCode = 'adminhtml';

    $username = 'admin'; // Replace with your admin username

    $this->_request->setPathInfo('/admin');

    $this->_state->setAreaCode($areaCode);

    $this->_objectManager->configure($this->_configLoader->load($areaCode));

    $user = $this->_objectManager->get('Magento\User\Model\User')->loadByUsername($username);

    $session = $this->_objectManager->get('Magento\Backend\Model\Auth\Session');

    $session->setUser($user);

    $session->processLogin();

    if ($session->isLoggedIn()) {

    $remoteAddress = $this->_objectManager->get('Magento\Framework\HTTP\PhpEnvironment\RemoteAddress');

    $adminSessionInfo = $this->_objectManager->create('Magento\Security\Model\AdminSessionInfo');

    $adminSessionInfo->setData('session_id', $session->getSessionId());

    $adminSessionInfo->setData('user_id', $user->getUserId());

    $adminSessionInfo->setData('ip', $remoteAddress->getRemoteAddress());

    $adminSessionInfo->setData('status', '1');

    $adminSessionInfo->save();

    $cookieManager = $this->_objectManager->get('Magento\Framework\Stdlib\CookieManagerInterface');

    $cookieValue = $session->getSessionId();

    if ($cookieValue) {

    $sessionConfig = $this->_objectManager->get('Magento\Backend\Model\Session\AdminConfig');

    $cookiePath = str_replace('adminLogin.php', 'index.php', $sessionConfig->getCookiePath());

    $cookieMetadata = $this->_objectManager->get('Magento\Framework\Stdlib\Cookie\CookieMetadataFactory')

    ->createPublicCookieMetadata()

    ->setDuration(3600)

    ->setPath($cookiePath)

    ->setDomain($sessionConfig->getCookieDomain())

    ->setSecure($sessionConfig->getCookieSecure())

    ->setHttpOnly($sessionConfig->getCookieHttpOnly());

    $cookieManager->setPublicCookie($session->getName(), $cookieValue, $cookieMetadata);

    }

    $backendUrl = $this->_objectManager->get('Magento\Backend\Model\UrlInterface');

    $path = $backendUrl->getStartupPageUrl();

    $url = $backendUrl->getUrl($path);

    $url = str_replace('adminLogin.php', 'index.php', $url);

    header('Location: ' . $url);

    exit;

    }

    return $this->_response;

     }

    }

    $bootstrap = Bootstrap::create(BP, $_SERVER);

    $app = $bootstrap->createApplication('AdminLoginApp');

    $bootstrap->run($app);

  • Modify the Username: Replace 'admin' with your actual admin username.
  • Execute the Script: Access the script via your browser:
  • <https://emmo.net.co/a61c7bc4_admin

Important Considerations

  • Security Risks: This script bypasses Magento's authentication, making it a potential target for unauthorized access.
  • Environment Usage: Only use this method in development or testing environments.
  • File Deletion: After use, delete the adminLogin.php file to prevent unauthorized access.

Summary

Using a root script to access the Magento 2 admin panel without a password can be a lifesaver in certain situations. However, it's crucial to understand the associated risks and use this method responsibly. For ongoing access needs, exploring more secure solutions like the Admin Auto Login module is advisable.

Tip

To enhance your eCommerce store’s performance with Magento, focus on optimizing site speed by utilizing Emmo themes and extensions. These tools are designed for efficiency, ensuring your website loads quickly and provides a smooth user experience. Start leveraging Emmo's powerful solutions today to boost customer satisfaction and drive sales!

FAQs

Why would I need to access Magento 2 admin without a password?

This is helpful when you're locked out of the admin panel, during development, or for learning purposes where quick access is needed.

Is it safe to use a root script for admin login?

No, it’s not safe for live environments. The script bypasses authentication and should only be used in development or testing setups.

How do I create a root login script?

Create a PHP file (e.g., adminLogin.php) in the Magento root directory, insert the provided script, and run it in a browser.

What should I change in the script before using it?

You must replace the default 'admin' username in the script with your actual admin username to log in successfully.

Where do I run the script from?

You can run it in your browser at https://your-website.com/adminLogin.php or directly via the command line if needed.

What happens after I run the login script?

If successful, you’ll be automatically redirected into the Magento admin dashboard as the specified user.

Should I delete the script after using it?

Yes. Always delete the login script immediately after use to prevent unauthorized access or exploitation.

Is there a safer alternative to the login script?

Yes, you can use the Admin Auto Login module from GitHub, which offers a more secure and manageable solution for dev environments.

Can this script work without modifying the Magento core?

Yes, the script leverages Magento’s object manager and admin session classes without altering the core codebase.

Does this method require a specific Magento version?

The script works with Magento 2 but may require slight adjustments if you're using significantly different versions or custom setups.