Passwords

My client wants to offer several different customers access to a password protected page - problem is each customer would need a different password, so they only see their own page and wouldn’t be able to see other customer’s information. Can this be done? I thought perhaps just set up a page for each customer and give the page a name such as: HugeDomains.com The numbers at the end would be a random code so that other customers would not be able to guess the page name. The link would then be emailed to the customer. Would this work?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Yes, and to make it even friendlier, you could use the Password
Protected URL Action to make a friendly login page for the customer,
too. http://www.actionsforge.com/actions/view/67-password-protected-url

You would draw an instance of this Action on the page. It will create
the “login” form for you, and all it does is take the value entered in
the “password” field and concatenate it together to make a link. I
haven’t used it in a while, but I think it’s pretty well documented.
Please note that this is not real security. Anyone who knows or
guesses the path can still navigate to the pages on your server
without any challenge.

But for your use, it would be very nice; you could make a different
folder for each client, suitably (and cryptically) named, and just
tell them that the name of that folder was the password. You only need
one login page, and you can make that public. You don’t need to enter
any passwords into the server or the Action, all you need to do to
create a new “client area” is to create a new folder, which you can do
easily in Freeway’s Site pane.

Walter

On Mar 3, 2011, at 9:16 AM, Noel Sergeant wrote:

My client wants to offer several different customers access to a
password protected page - problem is each customer would need a
different password, so they only see their own page and wouldn’t be
able to see other customer’s information. Can this be done? I
thought perhaps just set up a page for each customer and give the
page a name such as: HugeDomains.com The
numbers at the end would be a random code so that other customers
would not be able to guess the page name. The link would then be
emailed to the customer. Would this work?


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thank you for your quick response- works a treat for what I need. Maybe not the greatest security - but then if you guess any password you can get past it.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Well, if you stick to the rules of making strong passwords – mixed
case, numbers, no dictionary words – then you’re probably ahead of
the game until one of your customers clicks on an external link from
one of these “private” pages. At which point you have referrer
leakage, as the referring URL (your private page) is sent – in the
clear – to the site you’ve linked to. That will eventually get
crawled by Google if the target page has Google Analytics running on it.

So if you really want to keep humans and robots out, you need to
establish real server-based security for your private pages.

Walter

On Mar 3, 2011, at 11:12 AM, Noel Sergeant wrote:

Thank you for your quick response- works a treat for what I need.
Maybe not the greatest security - but then if you guess any password
you can get past it.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Ooops --one important note about this that I forgot to mention: don’t
include any characters in your “passwords” which have significance in
a URL: @ , : / ? ; ! or you will have some difficult-to-diagnose
errors using this scheme.

Walter

On Mar 3, 2011, at 11:18 AM, Walter Lee Davis wrote:

Well, if you stick to the rules of making strong passwords – mixed
case, numbers, no dictionary words -


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I know it is an old issue, the password.
On my site www.demetriad.com, my clients can see their sessions by going to “My Photo Session” tab and entering their password that takes them to the server. The first part of the password (the address of the server) is always the same: http://myphotosession.com/. After the forward slush the client adds the given password, for example: http://www.myphotosession.com/Ridgewood Country Club 2010, or http://myphotosession.com/Bergdorf Goodman_7th Floor 1. I would like to have the first part, the http://myphotosession.com/ permanently embedded in the action to make it simple for the client to enter just their name or whatever password I gave them, for example in the case above only “Ridgewood Country Club 2010” or “Bergdorf Goodman_7th Floor 1”. If that is possible can anyone will be willing to let me know how to do it??

http://www.demetriad.com/

http://www.demetriad.com/yoursession.html

http://www.myphotosession.com/Ridgewood%20Country%20Club%202010/

http://www.myphotosession.com/Bergdorf%20Goodman_7th%20Floor%201/

Thanks Walter or anyone else that will be kind to help.

Dan Demetriad


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Oh, I see. The Action is built around sending people to pages or
folders within your site. The JavaScript to do this is extremely
simple. If you apply the Protaculous Action to the page, and follow a
couple of simple steps in Freeway, you could have this done in a moment.

Make your login page. Add a password field to the page by using
Insert / Text Field while you have a flashing text cursor where you
want the field to appear. (You may also want to add a Username field,
just to make it look official, we’ll be ignoring that in this approach.)

Click once on the field to select it, click over to the third tab from
the left in the Inspector and check the Password box; then give this
field a meaningful name in the Name field (I’m using myName in this
example, use your own variable name, and make sure the following bits
of code that rely on it all match up).

Finally, while the text field is still selected, choose Item /
Extended from the main menu. Make sure the tab is selected,
click New, and in the resulting dialog, enter:

  • Name: id
  • Value: myName

Okay out of the stack of dialogs.

I just want to stress the only important part of this exercise so far
– naming things.

  • Your password field needs to have a valid name. (Valid names begin
    with an alphabet character, traditionally lower-case, and do not
    contain any punctuation besides the underscore character. They may
    include numerals, as long as you are past the first character.)

  • The ID must be exactly the same as the name, case-sensitive, or poor
    old IE will start muttering to itself in the corner.

  • There must be no other element on the page with that same ID or Name
    attribute. You can verify this by previewing into a browser, using
    View Source, and then using the Find command to search for your field
    name. There should be exactly one hit for the name attribute and one
    hit for the ID if you’ve done everything correctly.

Now for the JavaScript. Click on the page, so you see the Page Actions
in your Actions palette. Click on the Protaculous tab (or apply the
Action if you haven’t already). Set the Library picker to prototype-
packed, and click on the top Function Body button. Paste in the
following, making sure that if you didn’t name your field myName, you
change this code to reflect the name you actually entered.

That’s the whole thing. As you can see, the explanation takes longer
than the code itself. Please let me know how it goes for you.

Walter

On Mar 4, 2011, at 9:36 AM, Dan Demetriad wrote:

I know it is an old issue, the password.
On my site www.demetriad.com, my clients can see their sessions by
going to “My Photo Session” tab and entering their password that
takes them to the server. The first part of the password (the
address of the server) is always the same: http://
myphotosession.com/. After the forward slush the client adds the
given password, for example: http://www.myphotosession.com/Ridgewood
Country Club 2010, or


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thanks Walter.
You always come trough for everybody that ask simple or complicated questions on this forum. I’ll try the “medicine” lated today and I’ll let you know how it worked.
I am still a little confused about all that coding (sorry) as I want to have in the page a field where different people enter different passwords without writing the whole URL that will be common to all.
Thanks again,

Dan


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

If you look at the code in the Gist, you’ll see that I hard-coded in
the prefix of the address, so nobody will need to enter it. Whatever
the user enters as a password becomes the folder name, which should
get them into their folder. By the way, you need to keep spaces and
punctuation out of these folder names. I’ve added code to work around
this, but you should consider it a very bad practice and avoid where
possible.

Walter

On Mar 4, 2011, at 12:04 PM, Dan Demetriad wrote:

Thanks Walter.
You always come trough for everybody that ask simple or complicated
questions on this forum. I’ll try the “medicine” lated today and
I’ll let you know how it worked.
I am still a little confused about all that coding (sorry) as I want
to have in the page a field where different people enter different
passwords without writing the whole URL that will be common to all.
Thanks again,

Dan


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I decided to actually test this code, and discovered a tiny syntax
error, which I’ve fixed in the Gist, so if you copied the code
previously, be sure to get the latest version.

Walter

On Mar 4, 2011, at 12:10 PM, Walter Lee Davis wrote:

If you look at the code in the Gist,


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options