[Pro] How to protect part of a website structure via username/password?

Dirk1 · June 4, 2010, 3:12am

Hello,

I’m trying to desperately figure out a way to protect part of my website with username/password logic.

Looking at the simple action “Password Protect URL” I don’t get far as I’ll be hosting my site via MobileMe and I cannot cutomize the error page (code 404) as far as I know.

I don’t have any PHP knowledge and cannot figure out how to do this. Any ideas anyone?

Thanks for your replies,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Dirk1 · June 4, 2010, 3:35am

Forgot to mention/be more specific:

I don’t need to meet the highest security standards possible
I don’t need to many different username/password combinations. In fact, a password would also suffice so that I needn’t bother with the username administration.
I’d be intending to protect a number of pages under one section of my web site

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

David_McCallum · June 4, 2010, 7:19am

You are much more limited because you will be hosted on Mobile Me - no PHP options available.

David

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Dirk1 · June 4, 2010, 8:35am

David,

if I then hosted my site somewhere else, is it an easy task of setting up the PHP page(s) with absolute Freeway beginer’s knowledge and no PHP experience whatsoever?

I fear I might be “out of my depth” if it gets into coding…

Regards,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

LLE_Freeway · June 4, 2010, 11:56am

Dirk,

You should be able to set this up from your account on your web
hosting site. Nothing in Freeway needed. In your account setup section
there should be a tool to select web pages you want the hosting site
to protect. you can define a username and password there. I use this
to provide a members only portion of a web site. Since the members
only section is several pages, I use a second separate Freeway project
to manage this section. See:

http://rutherfordquiltguild.org/RQG_OnTheWeb/membershipofther.html

LLE

On Jun 3, 2010, at 11:12 PM, Dirk wrote:

Hello,

I’m trying to desperately figure out a way to protect part of my
website with username/password logic.

Looking at the simple action “Password Protect URL” I don’t get far as
I’ll be hosting my site via MobileMe and I cannot cutomize the error
page (code 404) as far as I know.

I don’t have any PHP knowledge and cannot figure out how to do this.
Any ideas anyone?

Thanks for your replies,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

David_McCallum · June 4, 2010, 6:33pm

is it an easy task of setting up the PHP page(s) with absolute Freeway beginer’s knowledge and no PHP experience whatsoever?

As LLE said most (good) hosting providers provide this functionality within their Cpanel and it really is very easy to set up - this is what it looks like in most http://www.deltadzine.net/cpanel.html

Best/easiest to protect a folder and just create your protected FW pages within a subfolder in your FW doc with the same name.

Then a link to yoursite.com/protected_folder will require a user/pass combo for access. Remember that the first page that FW creates in a subfolder is automatically called index.html so the link above would go straight to that index page.

This way there is no PHP required - all is done server side (but cant be achieved on Mobile Me)

David

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Dirk1 · June 5, 2010, 2:35am

Thanks, David and LLE! I guess I’ll go with a “lite” version of my first website on MobileMe first and then look for a decent hosting provider for the “PHP featured” extended website.

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Dirk1 · June 14, 2010, 5:24am

David (or anyone :-),

I’ve now registered with FatCow (that allows for PHP) and would like to setup a username/password protected area on my website.

I understand from what I read how to setup the username/password side of things on FatCow. I also understand that I should create the “protected” part of my website within a separate folder using the same name to keep things simple.

What I don’t yet understand though is how I link the username/password request from my freeway website form to FatCow’s username/password checking. Or in other words: if I have a Freeway web page with a form on it comprising the two fields username and password, what do I do for the whole setup to work and these fields to be evaluated by FatCow when deciding whether to allow the user access to the protected websites or not?

Thanks for any advice,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

LLE_Freeway · June 14, 2010, 12:41pm

Dirk,
From my experience, the username and password for folders/pages is
not coordinated between FW and your FatCow. FatCow will ask for the
username and password in order to access a protected page. Once a user
has entered a valid User/Pass, the browser will “remember” the User/
Pass and whenever FatCow asks again, the browser will auto provide the
User/Pass, its kinda a cookie thing. Eventually the browser deletes
the cookie, but this is why one should not log into protected pages
from a public computer, like in a library, unless one knows how to get
the browser to trash the cookie when you are done with that computer.
Using a username and password in FW is generally for someone accessing
account info or other info that is in a protected database on the
server. In this case, the PHP pages will use the FW provided User/pass
to access the protected database, or allow someone to send email, etc.
Protected pages are protected by the server, not in conjunction with FW.

LLE

On Jun 14, 2010, at 1:24 AM, Dirk wrote:

David (or anyone :-),

I’ve now registered with FatCow (that allows for PHP) and would like
to setup a username/password protected area on my website.

I understand from what I read how to setup the username/password side
of things on FatCow. I also understand that I should create the
“protected” part of my website within a separate folder using the same
name to keep things simple.

What I don’t yet understand though is how I link the username/password
request from my freeway website form to FatCow’s username/password
checking. Or in other words: if I have a Freeway web page with a form
on it comprising the two fields username and password, what do I do
for the whole setup to work and these fields to be evaluated by FatCow
when deciding whether to allow the user access to the protected
websites or not?

Thanks for any advice,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 14, 2010, 12:43pm

When you use your hosting provider’s security system, you are not able
to use a Freeway-drawn login form to authenticate with it. Rather, you
set the security up on the host’s control panel or similar, and then
whenever anyone requests an image or page from within the protected
folder, the server will check with their browser to see if they have
authenticated. If they have not, then the browser itself will present
a dialog box (or sheet in most Mac browsers) with a login and password
field on it.

Once that’s done successfully, there will be no further requests for
identification until the session expires. Most sessions expire some
number of hours after the last request, so inaction counts as a
logout. Closing the browser in Windows, or quitting the browser on a
Mac, will cancel the session as well.

Note what I said about anything within the protected folder! There is
no way to guarantee within Freeway (under default settings) what
folder any given image will be drawn from. If you have one Freeway
document for both your secure and insecure content (with the secure
folder defined within the Site pane in Freeway), it is quite possible
that one or more images might end up being sourced from the Resources
folder inside the secure folder. This will present an authentication
dialog within the context of insecure content, confusing (or turning
away) your visitors.

Two possible solutions: 1) Use the “keep resources with HTML files”
option in the Publish settings (very messy from a file organization
standpoint). 2) Use a separate Freeway document for the secure site,
and have its “root” folder be the secure folder (much neater,
recommended).

Walter

On Jun 14, 2010, at 1:24 AM, Dirk wrote:

What I don’t yet understand though is how I link the username/
password request from my freeway website form to FatCow’s username/
password checking. Or in other words: if I have a Freeway web page
with a form on it comprising the two fields username and password,
what do I do for the whole setup to work and these fields to be
evaluated by FatCow when deciding whether to allow the user access
to the protected websites or not?

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Dirk1 · June 14, 2010, 1:52pm

Thanks, LLE and Walter for the quick replies.

Walter, did I understand you correctly that I would simply create another “web site” using the same layout in Freeway for the “secure portion” so that any moving between the (effectively two) sites is seamless? I would then just protect the secure portion via FatCow and jump back and forth depending on what I click on the menu? If so, I have two questions:

(1) I would require a menu spanning both sections of the overall website: the public and the secure portion. Am I to expect problems here? Anything to watch out for? I assume that the link to the secure portion would just be an external link from the public portion and vice versa, right?

(2) How would I create a Freeway page with form asking for user ID and password that follows my design rather than uses what FatCow provides - or did I misunderstand something?

Again, Thanks for feedback.

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 14, 2010, 3:16pm

On Jun 14, 2010, at 9:52 AM, Dirk wrote:

Thanks, LLE and Walter for the quick replies.

Walter, did I understand you correctly that I would simply create
another “web site” using the same layout in Freeway for the “secure
portion” so that any moving between the (effectively two) sites is
seamless? I would then just protect the secure portion via FatCow
and jump back and forth depending on what I click on the menu? If
so, I have two questions:

You would create two different Freeway documents (visually the same,
if the secure area is to look identical to the public area) that
publish into the same Web server. The secure document would publish
into a subfolder where you had used the control panel to require user/
password. The other document would publish into the parent folder
(probably the Web root) and would provide the public part of the site.

(1) I would require a menu spanning both sections of the overall
website: the public and the secure portion. Am I to expect problems
here? Anything to watch out for? I assume that the link to the
secure portion would just be an external link from the public
portion and vice versa, right?

All you would need to do in order to link into the private area is to
use the External Link portion of the Hyperlink dialog. If you wanted
to link to the home page of the private area, for example, you would
enter this: private_folder_name/index.html in the URL field. To link
out to the public site from a private page, you would enter: ../ index.html to move up a directory level and select the index page. If
you want a direct link to a different page, then you would simply note
that page’s filename and make your link as ../someOtherFile.html.

(2) How would I create a Freeway page with form asking for user ID
and password that follows my design rather than uses what FatCow
provides - or did I misunderstand something?

You can’t design the form the user will see when you use Basic
Authentication or Digest Authentication (the two kinds of security you
can apply to folders using a control panel on the server). The
individual browsers create that dialog as a popup dialog or slide-down
sheet, and it will look different depending on the browser and the
operating system.

If you want to have a designed login experience, you will need to use
an authentication system programmed in a scripting language like PHP
or Ruby or Perl. These usually look up users against a MySQL database.

Further on up the food chain from that is an authentication and
authorization system, which maps individual users into classes of
actions those users may perform, allowing some users to administer
other users, some users to only log in and see private content, other
users to create but not publish private content, etc.

This is a whole other kettle of fish, and can get extremely complex
very quickly, so you really need to start from the basics – what do
you need to hide, and from whom? Answer that question, and your
problem is half-solved.

Walter

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

LLE_Freeway · June 14, 2010, 5:42pm

Dirk,

I’ll throw my final two cents in.
Protecting part of your web site depends on why you are doing it.
An example is the simple site I created for my wife’s Quilt Guild. It
contains a public environment and a private environment. The public
environment contains public information about the Guild and the
private contains personal information about members, e.g. home phone,
address, email, etc. It contains copies of the ByLaws, and budget
information about the finances of the guild. Note, there is nothing
here that is really super sensitive like credit card numbers, I don’t
trust the web enough to put this kind of information on “protected”
pages. IMHO, this type of info should be in an encrypted database. So
to implement this I decided to ease my pain and develop two different
FW projects, one for the public, one for the private. They are, in my
opinion, two different web sites. I copy/pasted the master page from
the public project into the private project to maintain a common look/
feel. The css menus are different in the private side. In my
opinion, this is a simple, logical way to solve this type of
separation problem. There is a link on the public side to get to the
private environment and a link/menu item on the private side to return
to the public side. You can see the type of username/password query on
the public side by going to:

http://rutherfordquiltguild.org/RQG_OnTheWeb/membershipofther.html

note: if you examine the link when you click HERE on the above page,
to get to the private side, you will see that it goes to:

http://rutherfordquiltguild.org/RQG_OnTheWeb/members/index.html

which is in a folder in the public site. This folder is the path the
private FW project uploads it’s stuff to. The “members” folder is the
server cpanel protected folder.

LLE

On Jun 14, 2010, at 9:52 AM, Dirk wrote:

Thanks, LLE and Walter for the quick replies.

Walter, did I understand you correctly that I would simply create
another “web site” using the same layout in Freeway for the “secure
portion” so that any moving between the (effectively two) sites is
seamless? I would then just protect the secure portion via FatCow and
jump back and forth depending on what I click on the menu? If so, I
have two questions:

(1) I would require a menu spanning both sections of the overall
website: the public and the secure portion. Am I to expect problems
here? Anything to watch out for? I assume that the link to the secure
portion would just be an external link from the public portion and
vice versa, right?

(2) How would I create a Freeway page with form asking for user ID and
password that follows my design rather than uses what FatCow provides

or did I misunderstand something?

Again, Thanks for feedback.

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Dirk1 · June 15, 2010, 7:27am

Hi LLE, Walter,

ok, I get it. Security is server based and I’ll have to live with that.

In your case, LLE, I get a little dialog asking for username and password when accessing the member’s section what doesn’t look bad. However, when I click on cancel (or enter wrong information) I get the server’s error page. Am I right to assume that I could simply change that via a custom error page (.htaccess) in the password protected folder and link back to the public web site? If so then I might have a solution that is good enough for my first own web site project.

I might slowly be getting there.

Regards,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

LLE_Freeway · June 15, 2010, 12:43pm

Dirk,

I’m not sure about (.htaccess), but I’ll bet Walter can clear that up.
While I never did like the error page my server produced, I always
assumed the guild members knew the username/password and others
deserved a little trash on their screen for trying to break into the
members only section.

LLE

On Jun 15, 2010, at 3:27 AM, Dirk wrote:

Hi LLE, Walter,

ok, I get it. Security is server based and I’ll have to live with
that.

In your case, LLE, I get a little dialog asking for username and
password when accessing the member’s section what doesn’t look bad.
However, when I click on cancel (or enter wrong information) I get the
server’s error page. Am I right to assume that I could simply change
that via a custom error page (.htaccess) in the password protected
folder and link back to the public web site? If so then I might have a
solution that is good enough for my first own web site project.

I might slowly be getting there.

Regards,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 15, 2010, 1:25pm

In my experience, when you really bomb out of a server’s request for authorization, you either see whatever page you were already on, or you see the error page for header 401 “Not authorized”.

Try making a custom 401 page (use your cPanel or the local equivalent to set this). Make sure that any images your reference within this page have complete, absolute URLs, not the relative URLs Freeway favors. The quickest way around that is to use Tim Plumb’s Remote Resources Action.

Walter

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Julie1 · June 15, 2010, 7:28pm

QUick question to this:

I have a site:

http://www.grassrootsweb.net/Becky

if you see on the front i have 3 selections - I want when they click the wholesale to log in like your site you listed below does.

how do you coordinate the click and the user / password?

Thank you

Julie
On Jun 4, 2010, at 7:56 AM, LLE Freeway wrote:

Dirk,

You should be able to set this up from your account on your web hosting site. Nothing in Freeway needed. In your account setup section there should be a tool to select web pages you want the hosting site to protect. you can define a username and password there. I use this to provide a members only portion of a web site. Since the members only section is several pages, I use a second separate Freeway project to manage this section. See:

http://rutherfordquiltguild.org/RQG_OnTheWeb/membershipofther.html

LLE

On Jun 3, 2010, at 11:12 PM, Dirk wrote:

Hello,

I’m trying to desperately figure out a way to protect part of my website with username/password logic.

Looking at the simple action “Password Protect URL” I don’t get far as I’ll be hosting my site via MobileMe and I cannot cutomize the error page (code 404) as far as I know.

I don’t have any PHP knowledge and cannot figure out how to do this. Any ideas anyone?

Thanks for your replies,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 15, 2010, 7:44pm

The easy way is to have the click link into a sub folder that you have
protected already from your server control panel. So instead of having
the link be to a page in the Becky folder, you would have a folder
like htdocs/Becky/secureFolder and you would secure that folder. Then
any links into that folder of any kind would trigger the request for
authentication. Even a bookmark or a “deep link” passed along in e-
mail would get the same treatment.

Walter

On Jun 15, 2010, at 3:28 PM, Julie Maxwell Allen wrote:

QUick question to this:

I have a site:

http://www.grassrootsweb.net/Becky

if you see on the front i have 3 selections - I want when they click
the wholesale to log in like your site you listed below does.

how do you coordinate the click and the user / password?

Thank you

Julie
On Jun 4, 2010, at 7:56 AM, LLE Freeway wrote:

Dirk,

You should be able to set this up from your account on your web
hosting site. Nothing in Freeway needed. In your account setup
section there should be a tool to select web pages you want the
hosting site to protect. you can define a username and password
there. I use this to provide a members only portion of a web
site. Since the members only section is several pages, I use a
second separate Freeway project to manage this section. See:

http://rutherfordquiltguild.org/RQG_OnTheWeb/membershipofther.html

LLE

On Jun 3, 2010, at 11:12 PM, Dirk wrote:

Hello,

I’m trying to desperately figure out a way to protect part of my
website with username/password logic.

Looking at the simple action “Password Protect URL” I don’t get far
as I’ll be hosting my site via MobileMe and I cannot cutomize the
error page (code 404) as far as I know.

I don’t have any PHP knowledge and cannot figure out how to do
this. Any ideas anyone?

Thanks for your replies,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Julie1 · June 15, 2010, 8:04pm

Thank you walter

so it would be a folder in the public_html folder.

this btw will be on a real site when all the kinks and design is up.

J
On Jun 15, 2010, at 3:44 PM, Walter Lee Davis wrote:

The easy way is to have the click link into a sub folder that you have protected already from your server control panel. So instead of having the link be to a page in the Becky folder, you would have a folder like htdocs/Becky/secureFolder and you would secure that folder. Then any links into that folder of any kind would trigger the request for authentication. Even a bookmark or a “deep link” passed along in e-mail would get the same treatment.

Walter

On Jun 15, 2010, at 3:28 PM, Julie Maxwell Allen wrote:

QUick question to this:

I have a site:

http://www.grassrootsweb.net/Becky

if you see on the front i have 3 selections - I want when they click the wholesale to log in like your site you listed below does.

how do you coordinate the click and the user / password?

Thank you

Julie
On Jun 4, 2010, at 7:56 AM, LLE Freeway wrote:

Dirk,

You should be able to set this up from your account on your web hosting site. Nothing in Freeway needed. In your account setup section there should be a tool to select web pages you want the hosting site to protect. you can define a username and password there. I use this to provide a members only portion of a web site. Since the members only section is several pages, I use a second separate Freeway project to manage this section. See:

http://rutherfordquiltguild.org/RQG_OnTheWeb/membershipofther.html

LLE

On Jun 3, 2010, at 11:12 PM, Dirk wrote:

Hello,

I’m trying to desperately figure out a way to protect part of my website with username/password logic.

Looking at the simple action “Password Protect URL” I don’t get far as I’ll be hosting my site via MobileMe and I cannot cutomize the error page (code 404) as far as I know.

I don’t have any PHP knowledge and cannot figure out how to do this. Any ideas anyone?

Thanks for your replies,
Dirk

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options