|
The Advanced Site Protector secures pages on your site using reliable server-side protection, eliminating the downfalls of other insecure protection methods. The Protector provides security via a user-definable security model, connecting to your back-end database to restrict access via a query on your existing database of users.
Now you can secure individual pages or entire sections at once. Giving out access is as simple as defining the users to allow and/or deny based upon a table in your database. And because the Protector runs on the server, you can be assured that your site will remain hidden from prying eyes. Once a page has been protected, if a user has access and then bookmarks the page, they won't be able to return to that page without going through the login process again. This ensures that you have complete control over your site's security — grant or revoke permission at any time!
 The login process is demonstrated in the diagram to the right. The user is shown the login page, at which point they have the opportunity to enter their username and password. You can specify a javascript prompt which will appear if the user doesn't supply their username and, optionally, their password. The server will then check the entered username/password combination against the database you have specified. If the entered values match the database entries, the user will get redirected to the success page. You can also specify custom success pages for individual users and/or groups of users. If the login was not successful, the user will get redirected back to the login page and shown a custom message which you specify (eg: "Sorry, your username/password was not found in the database. Please try again."). You can also setup a maximum number of attempts in order to prevent people from attempting to guess usernames and passwords. If they exceed the maximum number of attempts, they will be shown a "Too many tries" page and will not be able to try again for 20 minutes (the delay can be changed or eliminated if you wish). This lockout period will work even if they shut down and restart their browser.
Components included in this system:
- Username: use this to place the field for the user to enter their username on the login form.
- Password: this is placed on the login form for the user to enter their password.
- Login Submit: this acts as the submit button for the login form and generates all the server-side code necessary to connect to the database and validate the user's information.
- Login Message: placed on the login page to show the message you have specified for an unsuccessful login attempt.
- Logout: when placed on a page, logs out the current user.
- Page Protect: this component protects the entire page using server-side security to grant or deny access to individual users and/or groups that you specify.
- Protected Image: show specific images only to certain users and/or groups which you specify.
- Protected Table: show an html table only to specific users and/or groups which you specify.
Features include:
- connect to any database supported by the database drivers installed on your web server – includes Access, SQL Server, FoxPro, dBASE, Excel, Oracle, Paradox, etc.
- custom prompts for invalid login attempt, missing username data, missing password data
- ability to specify maximum number of login attempts, optional lockout period, and inactivity timeout minutes
- custom success pages for specific users and/or groups
- protection of individual pages with varying access levels. Grant access to everyone or noone by default and optionally specify users and groups to include or exclude on the access list.
- protected images and tables which will be displayed only to certain users and/or groups with optional hyperlink (images only)
How it works: The Advanced Site Protector uses cookies to store the user's login information on the web server. When the user successfully logs in, the web server assigns them a cookie which identifies their information on the server. (Note for the techies: the cookie doesn't store the actual login information so is secure from tampering by knowledgeable users.) Later, if the user requests a protected page, the server then checks to ensure that they have first logged in and that they have the appropriate permission levels needed to access the requested page. If they do not have permission, the web server then sends them the failure page (this can be specified as the login page or any other page you have created). Note that, unlike other insecure client-side methods, the protected HTML page is never sent to the user's browser unless they have permission to view it. Only if they have logged in successfully and they are on the list of authorized users and/or groups for the page does the web server then send the HTML page to the browser. Other solutions use client-side javascript code which can easily be bypassed by disabling javascript in the web browser.
How secure is it, really? The protected pages are as secure as your web server is. That means that as long as the usernames and/or passwords aren't easy to guess, your pages will be protected. This depends on your web server being setup to correctly process Active Server Pages code. By publishing and testing your web site, you can ensure that the server-side code is being run and that the pages are being protected.
What about bookmarks? If the user bookmarks a protected page and then either logs out, closes their browser, or hits the timeout limit and then subsequently goes back to the protected page, they will not be able to see it. Instead, they will be redirected to the failure page which you specify – it can be the login page if you choose.
What if the user disables cookies and/or javascript? The operation of the Advanced Site Protector doesn't use javascript to secure the web pages, so disabling javascript in the web browser won't affect the security of your site. If the user disables cookies in their browser, they will be unable to login to the system – this, however, will not affect the security of your pages. Those you have chosen to protect will remain protected regardless of the user's cookie settings.
Requirements:
- NetObjects Fusion 4, 5, MX, 7, 7.5, or 8
- 3 MB free disk space
Server Requirements:
The Advanced Site Protector requires that your web server is able to run Active Server Pages ("ASP") code and connect to databases. Microsoft IIS (Internet Information Server) version 3.0 and up (available on Windows NT server) is able to achieve this with the appropriate database drivers which are freely available from the Microsoft web site. IIS is available as part of the Windows NT Server Option Pack. The free PWS (Personal Web Server) can also run ASP code and is available for Windows 95/98/ME systems. If you are running any other system, Chili!Soft has developed a product called Chili!Soft ASP which allows non-Microsoft web servers to run ASP code. Chili!Soft ASP pricing starts at $795 US per server. More information is available on Chili!Soft's web site. Because the Advanced Site Protector uses standard ASP coding and database connections, it meets the requirements for functioning within the Chili!Soft ASP environment. Note, however, that the Advanced Site Protector has not been tested with Chili!Soft's product. Please contact Chili!Soft directly if you have any questions on their ASP compatibility.
|