I have a category that I want to protect using a password. I googled and found out some solutions to protect the whole site, but that's not what I want. I was wondering if there is a way to do that. Appreciate any suggestion.
One of the scenarios is, the category, say called personal, is located in the navigation bar, when people click this button, they are asked to enter password to visit.
You can use http://cloudcannon.com/ and create private content that is password protect.
If you are using regular hosting you can use a .htaccess file. If you host on github you can create a form that redirects to a filename that equals your password. Make sure your repo is private and you block search engines.
Related
I am new to this site and coding. I have self taught myself html and I understand css. I have been putting together a site of mine using my basic knowledge. I have no college experience but this is MY DREAM to put this site together so I have done a lot of research and read books to get started but I have hit a roadblock now. Here is what I have done:
-I have put together all of the front end pages and design using html/css. So, I have all of the pages that would be involved with the site, ready to go. All designed and have the layout how I wish it to be.
I guess I would call it the "skeleton" of the site. Any page that a user would be directed to, I have in a folder.
I have put together a little "demo" for myself to mimic a user experience. For example, I created a login page that "looks" how i want it to be but it doesnt actually store or save any logins.
This is my first question:
What is my next step? I admit it sounds stupd but I am self taught and I really have the ambition to acheive this I just can not figure out where to go from here in order to actually make a functioning site. All I have right now is my html "demo" where basically I have to follow a certain path down my site that mimics what a user would do on the site. I have it now where I click on the "sign up" button on my html form and it basically just redirects to my "new user" page. Then it is the same formula throughout the rest of my demo. I just put my other html pages I have designed into the html to sort of give a "user experience" to the demo. But I REALLY want to be able to have working accounts and saved data.
How do I create/save a user login to my site? DO i need to get a sql database? Is there a free one to use while i build the site? Honestly i really need someone who is willing to help me out with the steps in this journey without me sharing my entire site (i wish to keep it to my self) but.. i understand this is basic web stuff i just am genuinely lost as how to take it to the next level. I have all of the html done and now i need a way to actually make it work. I wish to conversate with someone please about this kink in the chain i am seeming to find myself in please. Thank you so much and I would be grateful. :)
----basically what programming languages do i need to learn, or when looking for someone to hire, what should they be skilled in? any software or sites or databases that i need? please help!!!
HTML and CSS are the languages that make up the front end of a website, like you said. In order for your website to have dynamic content (content specific to a user) and the ability to actually process logins, etc., there needs to be a server involved. A webpage is a text document that is interpreted by a browser. HTML makes up the content and CSS tells the browser how you want it to look. What you are missing, primarily, is server scripts, most commonly, in my experience, PHP. You can also include JavaScript for client-side effects.
Specific to your question about a user login, yes, you will need a database. The process should look something like this.
User visits login page
User enters information into an HTML form
User clicks submit
Form is submitted to a server URL using the 'POST' method
Server validates the form content
Server checks database for username or email (whichever you are using)
If the username/email exists, it compares the passwords
Server sends a response back to the client, either good or bad
Once the user is validated, you can redirect the user to the dashboard or user section.
Please keep in mind this is a very simplistic version of events. There are more in depth steps that need to be taken, for example, your passwords should never be stored in a database as plain text, you should use a one-way encryption (hashing) algorithm to make them unreadable. Then when a password is given to the server it should be hashed and you should compare the hashes. You can also use salts when hashing for more security. The form should use SSL to prevent man in the middle attacks, etc.
Sounds like you are off to a good start, but in order to make it work you have to add the server logic. Self-teaching will get you as far as you are willing to let it. I taught myself how to do web programming, and now I do it as a business. The Internet is a great resource. There are a ton of great tutorials online that will show you how to do everything I just laid out.
I want to allow anonymous users view access to a private folder & it's contents, only after they have submitted a valid email address through a form. I thought of emailing them a link to the folder, perhaps with a token that gives them access or logs them in, but I'm not quite sure how to do that.
I'm currently looking at collective.powertoken.core & collective.powertoken.view, but it seems that these products cover access to a single content item, rather than a whole folder.
I'm wondering if it's better just to add low priviledged users to the system & log them in without passwords.
Thanks
as suggested by #keul, you can use redomino.tokenrole.
If you want to integrate the tokenrole feature with a PloneFormGen you might consider to have a look at redomino.tokenroleform (https://pypi.python.org/pypi/redomino.tokenroleform): It is a custom plone form gen adapter that let you share a private object via token.
I don't know if redomino.tokenroleform fits your use case.
But you can browse the code in order to understand how to add a tokenrole programmatically.
Both products are for very low level usage.
Try redomino.tokenrole: https://pypi.python.org/pypi/redomino.tokenrole
For better security, I would like to rename the login url of my blog to something other than /wp-login.php. I found a plugin that would do the Job
http://wordpress.org/plugins/rename-wp-login/
But the problem is that it works only with non-default permalinks, which is a problem for me, because I use unicode names for my topics, which could make the link very long and messy with percent encoding. I wouldn't want to translate every link name to english... that's tedious!
Is there a way to hide wp-login.php and wp-admin from hackers without having to change the permalink form?
Thank you.
You can now use Rename wp-login.php plugin with any kind of permalink structure! ;)
I can suggest one great plugin that have plenty useful things in it and also what you want. And it uses other technique, that is not dependent on permalinks (in two words - it uses htaccess for all the magic).
It's called Better WP Security.
Here is the link
Why don't you use a permalink structure like this?
/%post_id%/
From long time i was tackiling with one issue.
some one trying to access my website using random password.
i got report of ip addresss, who hits wp-login.php files.
beside that i found .sd0 file in my root folder.
that file filled with some encrypted code.
I removed this and change my wp-login.php to wp-login-xx.php
After changed this file you required to change below file also to get proper execution.
search for wp-login.php and replace this with your assign name (wp-login-xx.php)
wp-login.php
wp-includes/general-template.php
wp-includes/pluggable.php
for better security also update wordpress with latest one.
This might sound a little complicated, but as I'm often working on my local databases in Lotus Notes I got the problem, that I can not authenticate. So I'm always working as Anonymous on my database.
The Problem is, that I can not test all functions, because for that I would need a valid Notesname.
How can I authenticate on localhost to work with my name/account and not as Anonymous?
You can not authenticate XPages/web applicatons using the local HTTP preview. You need to install a local server to do that (which is a good thing anyway for XPages development).
Try connecting to your machine using the fully qualified domain name, e.g. ^http://mymachine.mydomain.com instead of localhost
You can add yourself to your local address-book. And have it added to Database Security as Manager or whatever you want. That will help you to login using HTTP for local database.
I am looking to also do this, and I recalled a tip from searchdomino.com, the poster is Shawn Dezego
http://searchdomino.techtarget.com/tip/Testing-Authentication-Authorization-in-a-Web-App-Locally-WIthout-Running-a-Domino-Server
Here's the gist:
Just create any groups in your local address book and add your name to
the proper groups, roles etc. Then go to your Domains public address
book (Domino Directory), copy your person doc and paste it in your
local NAB. That's it.
This is the same basic tip as offered by the adjacent commenter. However, I think this may not work for Xpages apps, so I am loading a local server anyway.
Just create a person document in local NAB (names.nsf) and add HTTPpassword field with your password (hash it using #password("mypassword") formula) as text.
Make sure the person document contains the Fullname field, where you can put as test list your aliases. But Notes will use the first field entry as your name.
And remeber to set the first entry in canonical way (cn=user/ou=organization/o=domain)
Now you are ready to use this name in ACLs and names' (nested) groups.
I suggest to use hosts file to remap localhost with your site domain.
Enjoy!
(P.S. : You need to add anonymous entry in your db's ACL, and set it to editor access level. Once opened the application with browser, use the url command "&login" to force Notes to authenticate you)
I have a big list of websites and I need to know if they have areas that are password protected.
I am thinking about doing this: downloading all of them with httrack and then writing a script that looks for keywords like "Log In" and "401 Forbidden". But the problem is these websites are different/some static and some dynamic (html, cgi, php,java-applets...) and most of them won't use the same keywords...
Do you have any better ideas?
Thanks a lot!
Looking for password fields will get you so far, but won't help with sites that use HTTP authentication. Looking for 401s will help with HTTP authentication, but won't get you sites that don't use it, or ones that don't return 401. Looking for links like "log in" or "username" fields will get you some more.
I don't think that you'll be able to do this entirely automatically and be sure that you're actually detecting all the password-protected areas.
You'll probably want to take a library that is good at web automation, and write a little program yourself that reads the list of target sites from a file, checks each one, and writes to one file of "these are definitely passworded" and "these are not", and then you might want to go manually check the ones that are not, and make modifications to your program to accomodate. Using httrack is great for grabbing data, but it's not going to help with detection -- if you write your own "check for password protected area" program with a general purpose HLL, you can do more checks, and you can avoid generating more requests per site than would be necessary to determine that a password-protected area exists.
You may need to ignore robots.txt
I recommend using the python port of perls mechanize, or whatever nice web automation library your preferred language has. Almost all modern languages will have a nice library for opening and searching through web pages, and looking at HTTP headers.
If you are not capable of writing this yourself, you're going to have a rather difficult time using httrack or wget or similar and then searching through responses.
Look for forms with password fields.
You may need to scrape the site to find the login page. Look for links with phrases like "log in", "login", "sign in", "signin", or scrape the whole site (needless to say, be careful here).
I would use httrack with several limits and then search the downloaded files for password fields.
Typically, a login form could be found within two links of the home page. Almost all ecommerce sites, web apps, etc. have login forms that are accessed just by clicking on one link on the home page, but another layer or even two of depth would almost guarantee that you didn't miss any.
I would also limit the speed that httrack downloads, tell it not to download any non-HTML files, and prevent it from downloading external links. I'd also limit the number of simultaneous connections to the site to 2 or even 1. This should work for just about all of the sites you are looking at, and it should be keep you off the hosts.deny list.
You could just use wget and do something like:
wget -A html,php,jsp,htm -S -r http://www.yoursite.com > output_yoursite.txt
This will cause wget to download the entire site recursively, but only download endings listed with the -A option, in this case try to avoid heavy files.
The header will be directed to file output_yoursite.txt which you then can parse for the header value 401, which means that the part of the site requires authentication, and parse the files accordingly to Konrad's recommendation also.
Looking for 401 codes won't reliably catch them as sites might not produce links to anything you don't have privileges for. That is, until you are logged in, it won't show you anything you need to log in for. OTOH some sites (ones with all static content for example) manage to pop a login dialog box for some pages so looking for password input tags would also miss stuff.
My advice: find a spider program that you can get source for, add in whatever tests (plural) you plan on using and make it stop of the first positive result. Look for a spider that can be throttled way back, can ignore non HTML files (maybe by making HEAD requests and looking at the mime type) and can work with more than one site independently and simultaneously.
You might try using cURL and just attempting to connect to each site in turn (possibly put them in a text file and read each line, try to connect, repeat).
You can set up one of the callbacks to check the HTTP response code and do whatever you need from there.