Password Protected Site

How can one create a password protected site or document with Blocs? I know there is a video out there, but it is hidden behind a payment. Planning to host the site on GoDaddy.

Password protection is something done server side not on the actual page front end code.

Ask your hosts how do I protect a page via the servers plesk or whatever server software they run. It should be fairly trivial.

This can not be done totally within Blocs. But with that said, there are a variety of ways to do this depending on what you really want. One would be to create a PHP based login form with an include added to each page you want to protect.

Another would be to use Htaccess through your web host panel to assign login access to a directory. But since Blocs does not support subdirectories in it’s output; you would be limited to a single login for the entire site (unless you wanted to be clever and put up some directories with redirects).

So it really depends on exactly what you want to do before anyone could best advise you on how to go about it.

It should be fairly trivial.

Depends on the level of expertise

I did create on GoDaddy a password restriction to a directory and could easily with Htacess get that working, but like ScottinPollock wrote it has limits. Just hopped I could use a bric to simplify the process.

Software that generates front-end code will never be able to securely protect anything - simply because any front-end source code can be hacked easily.

Yes Paul’s right, you could just right click and reveal the data easily. I’m open to potential suggestions for the future if someone wants to help intergrate a PHP solution that I could hide a page behind?

A PHP solution could be pretty simple or very complicated. Without knowing what the average Blocs user’s needs would be, it is difficult to arrive at a solution. Security, simple password vs: multiple user/password array, user management (adding/signing up new users), and then of course when you start asking for user ID and passwords, your users are going to expect to see encrypted connections. So the whole thing can get pretty messy, pretty fast.

However, since you have already added the ability to output PHP pages, a mechanism to add code (a PHP include in this case) to the top of a page would go a long way in avoiding the need to post-edit Blocs files. The only thing that would need to be generated externally are the PHP file(s) for login form/user management.

Im thinking super simple, 1 password that is set in app that unlocks the page when hosted.

I could easily drop the PHP header script into the page that is protected during export and then just show a basic vanilla ‘enter password’ when page is initially loaded.

I’d just need to make sure folks knew this is very basic security and should be used wisely.

If I contemplate even the basest of reasons for password protected site/pages, a single password is simply unworkable. Guessing sooner or later users come and go, passwords expire, etc. I would suggest at least of simple list of passwords.

So how would you handle timeouts? Or would the user have to enter password every time they load the page?

As opposed to doing this on the page level, wouldn’t it make more sense to create a login.php file in /includes and reference it from each protected page via:

<?php include("path/to/login.php"); ?>

That way folks could update all passwords from a single place like the site settings panel.

This is getting a little more complex but I like it. My knowledge is front end and Cocoa, Im not as clued up on the PHP side. Is it even possible to store passwords/user names and update them without a database?

Sure… just define an array in login.php. You could also plug that in from an external text file.

I can probably work something up if you’re interested.

Yes, that would be very cool. Then I can pick it apart and hook Blocs in were it need to when generating the data on export.

Drop me an email and we can chat more about it

This is a great idea @norm and @ScottinPollock

We also use PHP login scripts for securing front end pages. I can add those into the mix if you required any other help

If you could secure Blocs pages out of the box that would be pretty cool.

Hello @rwimmer check if this what you need.
Go to this page : ANCARI and click on “Tabela de Preços” then it will ask for a password.
If is this what you need I can put here the code.

Pealco, that solution has no value whatsoever - for two reasons.

1. The correct password “password” is in the source code for the page - anyone can see it.
2. It’s easy to work out what is being protected.

I would NEVER advise anyone to use this technique because you might imagine you are protecting something, but you are not.

Sorry.

I know what you mean @pauland, but that script is not for something important, is just a simple “not secure” way to make a barrier.
But you can check in the same page, in other place a secure way to protect a page: ANCARI then choose any “Ficha Técnica”.

Check if is what you need.

@Pealco, yes indeed, but if someone is not familiar with the technology, they may easily think that your first solution using javascript is secure. I have real problems with people wanting to secure a web page or anything else and being offered a method that makes them think the resource is secured, when it is not.

@rwimmer - by all means use the method that Pealco has suggested, it will fool only very naive web users. Anyone with a very basic understanding of how web pages work will still be able to get access to the resource.

@Pealco, your second method - which is secure - uses a server-side method to protect the asset (you’ve probably password-protected the pdf directory).

@rwimmer - the second method doesn’t involve blocsapp at all - it relies on configuring the web host to password-protect a directory and the assets (pdfs) in the directory are then protected. Blocsapp just links to the files. That is secure.

@rwimmer thats exactly how @pauland explains.
@pauland what you explain about the pdf folder is exactly how I made it, protect the folder and create user and password verification in the server side for that folder.

What about the situation such as a private members section of a website where you want to restrict access only to members each with their own unique combination of email addresses and passwords? This probably would also require a database in some form or another to store each members info.
Does anyone know of a script or a way I could do this?

Depends on how many members. You can easily put the email/password pairs in a text file (or even define the array in the script itself), but if you have LOTS of different users walking the array is gonna be slower than an SQL query.

But here is what such a script would look like:

<?php
// define users and their passwords below
$LOGIN_INFO = array(
  'scott' => 'scottPassword',
  'norm' => 'normPassword'
);

define('USE_USERNAME', true);

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 0);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

if(!function_exists('showLogin')) {

// show login form
function showLogin($error_msg) {
?>
<html>
<head>
  <title>Please enter password to access this page</title>
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<body>
  <style>
    input { border: 1px solid black; }
  </style>
  <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
  <form method="post">
    <h3>Please enter password to access this page</h3>
    <font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
    <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Submit" />
  </form>
  <br />
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {
  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFO)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFO) || $LOGIN_INFO[$login] != $pass ) ) 
  ) {
    showLogin("Incorrect password.");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
  }
}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLogin("");
  }
  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFO as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLogin("");
  }
}
?>