- uploads/.htaccess: deny all direct web access to uploaded customer docs
- admin/view-doc.php: add realpath() path-traversal check (mirrors view-doc.php)
- admin/view-doc.php: remove dead double-query (result was always overwritten)
- .gitignore: uploads/* wildcard so .htaccess can be tracked
Cookies failed consistently in real browsers despite working in curl.
Replaced with DB-stored token passed as ?_t=TOKEN in URL:
- Login generates 64-char hex token, stores in admin_tokens table
- Redirect to /admin/?_t=TOKEN after successful login
- Every request validated via DB lookup (no cookies needed)
- All 7 AJAX calls include &_t=TOKEN in POST body
- Logout deletes token from DB
- Requires admin_tokens table (created in DB)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add PHP no-cache headers (Cache-Control: no-store) at top of file so OLS
cannot cache the login page and serve it to authenticated users — this was
the root cause (OLS ignores .htaccess Header directives)
- Replace status filter anchor links (/admin/?status=X) with client-side JS
filterBookings() — no page navigation means no cookie re-verification on
each filter click, eliminating the persistent login redirect
- Add data-status attribute to booking rows for JS filtering
- Load all bookings at once; filter is instant and stays on same page
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- DEPOSIT_AMOUNT changed from $100 to $45
- Balance (package price minus $45) shown dynamically in booking form when package selected
- Customer confirmation email shows breakdown: deposit hold + balance at pickup
- Admin email table includes deposit hold and balance columns
- Admin booking flow step 5 shows deposit held + balance at pickup
- Reminder email deposit detail updated to reflect held deposit and balance
- Live status field shows $45 during card authorization flow
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Square Web Payments SDK card element in booking form
- Delayed-capture hold ($100) on booking submit — not charged until confirmed
- Live payment status field: Verifying card → Authorizing → Confirmed w/ hold ID
- Admin: Capture / Void / Refund actions for each booking
- square_payment_id returned in API response for frontend confirmation display
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PHP sessions were unreliable on this host — the web process could write
session files but LiteSpeed served cached login-page responses on the
redirect, bypassing PHP entirely.
Replace sessions with a self-contained signed cookie:
- On login: generate random 32-byte token + expiry, sign with HMAC-SHA256
- On each request: verify signature and expiry — no filesystem reads needed
- Cookie: Secure, HttpOnly, SameSite=Lax, path=/admin/, 24h expiry
- admin/.htaccess: CacheEnable off + no-store headers to prevent LiteSpeed
from caching admin responses
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Admin portal overhaul:
- Fix require_once path (was admin/db.php, should be ../db.php) — this was
the root cause of the login always redirecting back to the login page
- Fix session save path to /home/parkerslingshotrentals.com/sessions so the
web user (parke1909) can actually read sessions back (the system default
/var/lib/php/sessions was write-only for non-root)
- Fix AJAX unauthenticated response: return 401 JSON instead of login HTML
- Fresh bcrypt hash for admin password (Parker2026!)
- Add 3 new DB columns: insurance_verified, deposit_received, license_verified
- Replace flat bookings table with expandable per-customer flow panel:
click any row to open a 3-column detail drawer showing:
(1) full contact info + admin notes
(2) 6-step booking flow checklist with inline toggle buttons for steps
that admin marks (insurance, deposit, license)
(3) send-reminder email builder — pick which pending items to include,
send customer a personalized nudge with waiver link + instructions
- Progress dots in table row update live when admin toggles a step
- Stats row now includes waiver, insurance, deposit counts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- waiver.php: full rental agreement with canvas e-signature pad, 6 required
checkboxes, typed name field; stores sig image + IP + timestamp in DB;
emails signed confirmation to customer and admin
- bookings table: add waiver_signed, waiver_signed_at, waiver_ip, waiver_name,
waiver_sig columns
- contact.php: confirmation email now includes Sign Rental Agreement button/link
- admin/index.php: Waiver column shows Signed (date) or Pending + Send Link
- index.html: How It Works expanded to 5 steps (added Get Approved + Sign Waiver
before Hit the Road); insurance updated to Proof of insurance required; FAQ
and JSON-LD updated to match
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
myron