I know you get asked this a lot but I’m struggling! I’ve looked through the posts and tutorials and can’t find what I’m looking for.
Basically, i want to set up a secure staff only page on my website. Each will have their own username and password. There will be only a few users at present but will be expanding shortly so needs to be for a large user group. My server supports PHP and it needs to be fairly secure.
Im new to freeway but know the basics.
Can you please help me, from the start, on how to build this page.
What sort of content are you securing, and will this be a single page or a sub-section of the site?
Also, what’s your security policy like? Do you need to keep people from sharing links to this content? Do you need to log people out after some period of inactivity? Do you need a record of visits to this area?
Almost anything is possible, but more detail will keep us from doing what Pfish say in their song: “I’m building you a pyramid, with limestone blocks so large; I drag them from the mountain top, you need a two-car garage.”
It will be a sub-section of the website containing technical drawings, regional branch information, company information, news and events. I am still deciding whether to include the end of week reporting to show how each branch is performing and targets to meet, so in that respect, it would need to be very secure as i wouldn’t want it getting out.
I would like to stop people sharing links as the only people who need to know information on that part of the website will have full access to it anyway.
I like the idea of logging people in and out, increases the security a bit. There is no need to record visits.
The very simplest thing of all would be to use your hosting provider’s
control panel to add a password to that folder on the server. It’s
usually very simple to do, and you can add as many different user/
password combinations as you like, although it is different for each
host.
Walter
On May 28, 2010, at 4:59 AM, jemma wrote:
Hi Walter,
Thanks for the reply.
It will be a sub-section of the website containing technical
drawings, regional branch information, company information, news and
events. I am still deciding whether to include the end of week
reporting to show how each branch is performing and targets to meet,
so in that respect, it would need to be very secure as i wouldn’t
want it getting out.
I would like to stop people sharing links as the only people who
need to know information on that part of the website will have full
access to it anyway.
I like the idea of logging people in and out, increases the security
a bit. There is no need to record visits.
The very simplest thing of all would be to use your hosting provider’s
control panel to add a password to that folder on the server. It’s
usually very simple to do, and you can add as many different user/
password combinations as you like, although it is different for each
host.
Walter
On May 28, 2010, at 4:59 AM, jemma wrote:
Just tapping into this thread rather than starting another on the same subject if that is ok!
I am trying to do the same thing which is to have a section of a website which is for registered members only.
I have set aside a folder which I have made password protected. However when I go to visit this directory how can I get a custom login page to be what people will see when they find it? Currently all I get is the old “Internal server error” page
If you’re getting that sort of error, then you probably didn’t set up the password correctly on your hosting provider’s control panel. That’s something to take up with them, because they do vary from server to server.
But if you want a custom login page, you’ll have to use something besides the htaccess protection that your hosting provider (should) offer. If you want to design that interface, you’ll need to use a script and (most likely) a database to manage users and logins.
There are a lot of different systems available on HotScripts and other server-side script sites. All of them require some facility with a text editor and an FTP application at a minimum, some require that you actually understand how to program a server-side application in one scripting language or another. So it depends a lot on your experience base what approach you end up taking.
Thanks Walter.
I have this working now. I can get folk to login easy enough to the password protected directory now. The next thing is getting them to log out! Is there a way to set up a time out on the content of the directory so that it won’t be left open should someone inadvertently leave a page open?
You mentioned earlier about preventing folk sharing links and the need to log people out after some period of inactivity as well as maybe recording visits to this area. Is this possible using only the password protected directory? Or can ther features be set up in some way with freeway?
You cannot log out someone from a password protected directory
(using .htaccess – the Basic Authentication provided by your hosting
provider). The only way to expire those credentials is to get your
user to close the current window (on Windows or Chrome on any
platform) or to quit the entire browser application (on all other Mac
browsers).
In order to do a timed logout you will need to use a security script
and some sort of database to store the credentials and sessions. Your
script will compare the current time to the time that the user logged
in, and log that user out when the difference meets your threshold.
Usually these sorts of scripts reset the timer each time a new page is
requested by the same user, so the timeout happens when the user walks
away for N minutes and stops clicking on links.
Walter
On Jan 10, 2011, at 6:28 PM, tonzodehoo wrote:
You mentioned earlier about preventing folk sharing links and the
need to log people out after some period of inactivity as well as
maybe recording visits to this area. Is this possible using only the
password protected directory? Or can ther features be set up in some
way with freeway?
Hello Dave, That seems a possible option though I note that some folk have had some issues with it according to the comments below it.
I like the idea of the htaccess but if it can’t do the timed out logout then I guess I’ll go with a php solution.
I’ll give the phpjabbers one a look and see if it does the job.
What set up is used in the freewaytalk forum?
I will leave that to Walter to explain but suffice it to say that it will be customised PHP integrated with a MySql database and utilising Ajax form injection - a bit beyond your needs.
The main consideration you have is ‘How secure does it need to be’ - do you really need a Log out?
I guess its really more about a timing out feature more than a log out. I’d prefer that once the secure area had been accessed that if folk move away from it that after a period of inactivity from the user that they would require to have to login again.
Its not that theres any State secrets or other dodgy dealings going on but just to protect users from unauthorised intrusions.
Currently I have a php forum setup and running and I want to extend whats available to the members of this with a series of other features which for me are too complex to incorporate behind the login of the existing forum. The password protected Directory seems the most direct and possibly easiest to set up though lacks maybe the manageability from what I understand.
The webwerks link looks interesting but the link leads to a site where there is no mention of the code. I’ve emailed the guy to see if he still has it available.
I will leave that to Walter to explain but suffice it to say that it
will be customised PHP integrated with a MySql database and
utilising Ajax form injection - a bit beyond your needs.
Pretty much true, but there’s also a parallel Mailman database (which
is all managed in Python using flat files) to do all the mailing list
chores. Basically what I wrote is a “bot” that is subscribed to the
list like any other user, and “reads” all the mail and translates it
into Web pages. The user management stuff is custom-built, and
integrates with Mailman through a set of intermediary shell scripts
written by Finlay Dobbie, so that Mailman and the MySQL user logs can
remain loosely-coupled. There are Web-only members who are not mail
recipients, but all mail recipients have access to the Web…
On almost any level, it’s overkill for your needs.
The main consideration you have is ‘How secure does it need to be’ -
do you really need a Log out?
Banking Web apps, to name one example, require in their security
policy that an unattended computer cannot be used to mount an attack
on your account. So they use one-time tokens, short-lived session
cookies, and other tricks to ensure that they properly tip the balance
away from your convenience and toward your security. If your needs are
not that extreme, or if the danger to your customers is not so
immediate or dire, then you can get away with a more relaxed approach.
I guess its really more about a timing out feature more than a log
out. I’d prefer that once the secure area had been accessed that if
folk move away from it that after a period of inactivity from the
user that they would require to have to login again.
Its not that theres any State secrets or other dodgy dealings going
on but just to protect users from unauthorised intrusions.
This will require a separate session for your secure area, and a
timing feature as I described earlier.
Currently I have a php forum setup and running and I want to extend
whats available to the members of this with a series of other
features which for me are too complex to incorporate behind the
login of the existing forum. The password protected Directory seems
the most direct and possibly easiest to set up though lacks maybe
the manageability from what I understand.
There are some single-sign-on features built around popular forum
applications, so you may find a plugin available for your system that
can leverage that login system for your secure area. But if you have
different security policies for the forum and secure area, you may
want to consider two disconnected systems, with a separate login
required for each. For example, if you allow members to remain logged
in on the forum (for their convenience) but require that the secure
area log out after 15 minutes of inactivity, then you’d need to keep
these separate, or extend the forum login system to be “aware” of the
separate realm.
The first thing to do is to sit down with your client and discuss the
security needs. Write up a formal policy spelling out what the
expectations are, what the risks are, and most importantly, what the
budget is for meeting those expectations and mitigating those risks.
Then you can apply a more formal process to choosing a security
solution, and grade its performance later.
Thanks for that and from what you say I guess my needs are not quite as advanced or as complex as this forum or a bank but fairly basic in theory. I just want to avoid members leaving pages open and allowing others access to the forum should they forget to close it down.
Certainly the path of least resistance or more relaxed approach is quite appealing!
Got an email back from the guy who created WebWerks Cookie Authenticator saying that it is pretty much outdated. I get the impression he maybe doesn’t offer it for sale anymore.
What would you recommend as a solution which is comprehensive and not horrendously complex to implement? Is it php for me?
Thanks for your feedback
Hello Walter, I think we’re out of sync a bit with our dialogue. I had posted my last post before your other one appeared!
To a fair degree I am the client on this one. I am a member of a pipe band. I currently manage the website and the forum therein. I want to extend the forum to include a diary, download section, and blog. Currently the forum is a members only login (PhpBB). My idea was to have a single login for the whole secure area covering the forum, Blog, diary and download section so that once a person has logged in then they have access to everything and everything is secure within this area.
I thought the password protected directory was the way ahead and possibly the easiest to implement. The only down side for me was that of the lack of the time out feature. I’m still weighing this up as an option against a php solution.
PHPBB requires its users to log in so you can tell who said what. If
you wrap that in a separate secure directory login, the users will
need to log in twice. You might want to look into a system where the
users log in through PHPBB but you “share” that login across secure
folders as well, so they only have to be logged in once. One other
issue with going ahead the way you describe here is that the two
“databases” are completely isolated, which means double-work for you
(or an insecure “group” password for the folder, and a separate
personal password for the forum).
Have a good look on HotScripts for a security system that integrates
with your version of PHPBB. That’s probably going to be your simplest
path forward, even though it requires some coding.
Walter
On Jan 11, 2011, at 9:34 AM, tonzodehoo wrote:
Hello Walter, I think we’re out of sync a bit with our dialogue. I
had posted my last post before your other one appeared!
To a fair degree I am the client on this one. I am a member of a
pipe band. I currently manage the website and the forum therein. I
want to extend the forum to include a diary, download section, and
blog. Currently the forum is a members only login (PhpBB). My idea
was to have a single login for the whole secure area covering the
forum, Blog, diary and download section so that once a person has
logged in then they have access to everything and everything is
secure within this area.
I thought the password protected directory was the way ahead and
possibly the easiest to implement. The only down side for me was
that of the lack of the time out feature. I’m still weighing this up
as an option against a php solution.