Does anyone have an Action that will generate a secure client login?
Our overall need is is to create a login page so varied clients can access their specific page or pages. We are not coders here at SDA but I think what we are needing is an Action that matches the user name and password to a list that would then direct the correct user to their specific page or pages. Would also like to be able to visualy style all aspects including any error message prompts and such.
How secure, and is this meant to be “security through obscurity”, or real actual “you can’t get there from here without the password, bub” security?
The Softpress Password Protected URL Action does the security through obscurity thing very neatly. If you know the password, you know the path to the files. But just one link out from that location to a non ‘obscure’ page, and Google has you and you’re in the index.
For the real thing, you get into the issue of how good (or just how normal) is your server. Does your ISP allow you to do the sorts of things you need to do to manage a session securely and enable and disable privileges? Hard to say without trying, hard to fix if it doesn’t work out of the box without experience and understanding of what’s under the hood. And desperately hard to debug from a distance.
To restate what I mentioned before - Password Protected Directories are the easiest way to implement this and most serious hosting providers provide this facility. If yours doesn’t then it may be worthwhile looking to move to one that does. Or even set up a new site on a decent server for client access. Hosting is cheap for something like this ie teamSDAclients.com
Back in 2007 I wrote a modified version of the Softpress Password
Protected URL action based on PHP rather than JavaScript. What
bothered me about the existing action was that the code would try and
load a page that wasn’t there if you entered the wrong password. At
best this would give the user a 404 error rather than an error for the
log-in.
The PHP version of the action checks to see if the target file exists,
and if it does, only then does it load the page content. If the user
enters the wrong password/filename then the code simply displays an
alert next to the form.
Here’s a very simple example; http://www.freewayactions.com/test/password/
In the real world you wouldn’t have a password/page name as easy to
guess as ‘softpress’ but would name your target pages something like
‘2h84d1p.html’.
TeamSDA, if this looks like a possible solution to your problem then
please get in touch and I’ll send you the action and sample Freeway
file. in the meantime I’ll try and find some time to get the action
and example document cleaned up and posted online.
Regards,
Tim.
On 20 Apr 2009, at 13:35, TeamSDA wrote:
To all the Actions programers out there,
Does anyone have an Action that will generate a secure client login?
Our overall need is is to create a login page so varied clients can
access their specific page or pages. We are not coders here at SDA
but I think what we are needing is an Action that matches the user
name and password to a list that would then direct the correct user
to their specific page or pages. Would also like to be able to
visualy style all aspects including any error message prompts and
such.
FreewayActions.com - Freeware and shareware actions for Freeway
Express & Pro.
Protect your mailto links from being harvested by spambots with Anti
Spam.
Only available at FreewayActions.com
Walt, thank you and yes we have looked at the Softpress action but it did not really seem secure for the reasons you mentioned and that the login can be bypassed if the user knows the URL.
Dave, thank you for the link to the scripts site but this seems a little more advanced than we can handle. As for our ISP they are more than capable but setting up new directory passwords each time we have a new client project seems a little inefficient. Our ISP handles Perl, Python, CGI, PHP 5, Ruby on Rails and has a 300 MB MySQL 5 Database.
Tim, pretty cool Action, please look at the following as I am not sure if this Action meets these requirements.
ACTION REQUIREMENTS / CONCERNS:
01_Single login page needs to match varied clients to their specific client pages.
02_Visually style error message prompts and such via Freeway not hand coding in the markup.
03_If pages have to be of a php type, does this not impact search engine bots ?
As for our ISP they are more than capable but setting up new directory passwords each time we have a new client project seems a little inefficient
It may be inefficient if you have to ask your ISP to do it for you every time, but it is dead easy if you can do it through Cpanel. Bear in mind that you only need one protected folder per client. You can have any number of subfolders for different projects within that protected folder.
Yes I believe we would be able to use the C Panel of our ISP and create such a secured folder. Not really warm to this idea as we want to use freeway as our means of making changes and updates. Also how would you recommend we set up a login style page as we want a field for the user to enter in their info and from their entered info they would be directed to the right page. Don’t want to have all the active projects and clients listed as links on a page for all to see. As for styling… well we are a design agency and form means a great deal to us.
The php question was really related to using other actions that require the page to be of a .php type. Sorry for putting the question in this thread, have a few things going on over here.
Having said that does the php page type hamper search engines from being able to crawl the page affectively?
Don’t want to have all the active projects and clients listed as links on a page for all to see. As for styling… well we are a design agency and form means a great deal to us.
If the client specific pages are in separated in locked folders that each client has a separate password to then the only thing each client would have access to is what is in each folder they have password to.
Not sure this is all you are interested in. Kind of sounds to me like you may need a cms, but your explanation of requirements is a little confusing.
Tim, pretty cool Action, please look at the following as I am not sure if
this Action meets these requirements.
ACTION REQUIREMENTS / CONCERNS:
01_Single login page needs to match varied clients to their specific client
pages.
Yes. At the moment the action is applied to a standard text input field which
can be styled, along with the rest of the form and page, using Freeway’s
regular CSS features.
02_Visually style error message prompts and such via Freeway not hand coding
in the markup.
Yes. At the moment the error message is appended to the form (using PHP) when
the user enters the incorrect password. The message text is defined from within
the action and also allows you to specify a CSS style as well. What the action
currently doesn’t do is allow you to place the error anywhere you like with
whatever content you like. You may want, for example, a graphic to appear
alongside the text input when the user hits an error. I’ve purposely avoided
this level of complexity to keep things simple although it can be added in if
needed.
03_If pages have to be of a php type, does this not impact search engine bots
?
No, not at all. PHP is a server side scripting language and should only ever
output clean valid code (HTML, CSS, JavaScript etc). As long as the code that
the search engine sees is valid then it shouldn’t have any impact on your
search engine rankings at all.
I’ll put a more detailed example Freeway document together for you tonight and
send it over for you to play with.
I’ll also post it online so other can get at it if they want to.
Regards,
Tim.
This is sounding like your Action may be close to what I ma looking for. Just so we are on the same page on our site I want to be sure the login is a single page that any user enters their information into and based on their entry they are directed to their secure page.
The whole idea is to drive traffic through our site to a single login page and Dave this is why I am not wanting to go the ISP directory rout. If I am understanding that approach it would require each client to be given link information and thus they would not be driven through our site.
As for the search engine bot issue and php that is great news. I only ask as I had read an article a few months back in .net magazine that I thought brought this issue up.
Hi David,
No. If the user knows the path to the real file then they can simply enter
into the browser and go directly to the page. Much like the original Softpress
action it’s wise to give these ‘hidden’ pages obscure names.
As for keeping search engines out I would think that as long as you don’t link
into the pages you should be OK. If you wanted to be sure you could simply put
a robots exclusion meta tag in each page.
The action offers a lot less than real authorization but is very easy to set up
and offers adequate protection for most single pages.
Regards,
Tim.
Sorry I forgot to answer the second question.
It obscures (rather than protects) either single HTML pages or directories that
contain a default index (or similar) file. For HTML files the code looks for
any html file that has the same name as the password entered. For folders the
user is redirected to the folder of the same name.
So for example;
e3r4t6 entered into the password field would show you the content of the html
page;
e3r4t6.html
or redirect the user to;
/e3r4t6/
Just
so we are on the same page on our site I want to be sure the login is a
single page that any user enters their information into and based on their
entry they are directed to their secure page.
Correct, although as I’ve previously mentioned the target page isn’t fully
protected, just simply hidden. If you know the name of the target page then you
can simply enter this in your browser and go straight there. The action
currently makes things a little tricker for anyone wanting to do this as it
obscures the URL of the target page. Technically the target page is ingested
into the form page and served from there. To the user it looks like the target
page has the same URL as the log-in page.
To be 100% secure I would advise you to implement a log-in/ log-out system using
PHP much like the PHP Basic Authorization action I created but using forms to
handle the username and passwords rather than relying on the browser to supply
the interface. This will be a lot more work than simply ‘hiding’ your pages
with something like the Password Protected URL (PHP) action but will provide
complete security for your client content.
Regards,
Tim.
In regards to the Password Protect Action that Walter originally gave me I was not able to get it to function. The login kept popping up as was previously discussed.
As for this action that is semi secure and simple, how can I get a copy?
What I would really like is the more advanced approach. Is there a tutorial on this or do you have plans to develop an action that would be available through your site in the near future?
Many, many years ago, there was a germ of truth to the idea that
dynamic Web sites (back when that meant page.php?
something=2&somethingelse=3 was how each page was distinguished) could
not be adequately spidered by Google (actually probably AltaVista –
that’s how long ago we’re talking about.
Nowadays, several things have happened to change that. For one, Google
is very very smart, and they figured out how to spider pages with
querystrings. For another, many Web frameworks and programming
techniques get rid of the querystring for you.
If you’re looking at this mailing list on the Web, take a look up at
the URL, and watch how it changes when you move around from page to
page. I’ll tell you now, the Web site uses PHP exclusively. (I know,
because I wrote it.) But you won’t see that fact exposed no matter how
hard you look.
Walter
On Apr 21, 2009, at 8:31 PM, TeamSDA wrote:
As for the search engine bot issue and php that is great news. I
only ask as I had read an article a few months back in .net magazine
that I thought brought this issue up.
If the user knows the path to the real file then they can simply enter