Password Protect 6

• Intro
• Demos
• How-to
• Tutorials
• Cautions
• Issues

How you add Password Protect 6:

As we said before, the UserID/Password Login Form can be added either directly onto your page (as a DW Object), or it can pop open when the user clicks on a link (as a DW Behavior).

To insert the Login Form right onto your page (as an Object):

You are adding the Login Form as an Object: Place the mouse cursor on your page where you want the Login Form to appear. In the Goodies tab of the Insert Bar, or on the Insert/Valleywebdesigns menu, click on the Key icon to open the UserInterface. One Login Form Object is permitted per page.

To have the Login Form appear in a popup window (as a Behavior):

You are adding the Login Form as a Behavior which appears when the user clicks on linked text (or any linked element): Select some text or an image. In the Property Inspector, add "javascript:;" (without the quotes) to the Link field. Do NOT make the mistake of creating a link to your protected page or folder! Then select the linked text or image in Design View, go to the Behaviors Window, click the + button and click on Password Protect 6: You may add as many Password Protect 6 Behaviors on a page as you wish.

Essentials

The fundamental secret is this:

The Password IS the Actual filename of the file you are protecting (minus its extension)

The UserID IS the Actual foldername where that file resides.

Now what this means is that when the user is asked to supply a UserID, what she is REALLY being asked for is the name of the Folder in which the protected file resides. And when she is asked to supply a Password, what she is REALLY being asked for is the name of that protected File. It's that simple really. What is ALSO means is the YOU do not enter a PW or USERID anywhere in Passprotect6 ! Just supply the files and folders with the correct names on your webserver and the USER enters their names !

If your Folder and/or File names are hard to guess, then they are safe. Unlike many other javascript-based password systems, Password Protect 6 does not place the UserID or Password in the Source code of your page, so this information can not be discovered by a snooper simply peeking at that code. With this simple schema your files are safer than with any other known client-side javascript-based technique. Without knowing how you've named your folders and files, a snooper can not get to your files.

Password Protect 6 allows you the flexibility to ask for a Folder name (a UserID), or a File name (a Password), or both of them:

• In its simplest form, a UserID (foldername) is not required if you simply keep your protected file right in the folder with your current open document. Only a Password (the file name minus its extension) will then be required for access. In this case you would want to be sure to give your file a really tricky name (which will be its Password), like "4si8je1k".htm.
• To organize your files better, you may want to place all your protected files in a particular folder. Name this folder as simply or as obscurely as you wish, with names as simple as "auntmaggie" or as obscure as "3kofW9t" . Just be sure that either the folder name (the UserID) and/or the file name (the Password) is hard-to-guess.

A quick word about EyesOnly

EyesOnly was installed right along with Password Protect 6. It is a Command that can be added to each of your protected pages to reduce even further the chances of unauthorized access. You will remember that earlier we cautioned you not to add a link on your page that goes to your protected pages. This will prevent Search Engine Spiders from ever discovering those pages and listing them! No link, no crawl. The only way to get to those pages will be using the Password Protect 6 Login form. EXCEPT, what happens if, after legitimately reaching your private page using the Login Form, a user then innocently saves the page as a Bookmark? If they do this on shared computer, it would be possible to reach those pages without your permission. EyesOnly will help prevent this! If someone tries to each your private page without coming directly from your website - like via a bookmark, or typing the url into the browser - then EyesOnly will help prevent them from ever seeing the page. So check out EyesOnly.

The User Interface For Basic Users:

The User Interface is the same whether you are adding the Login Form as an Object or as a Behavior.

Basic Users need use only the Basic tab:

You get to decide whether the user will be required to enter

• a Password,
• a UserID,
• or both,

before she can gain access to the protected files.

1) If you wish to require ONLY a Password (a file name):

On the Basic Tab shown above, a) Put a check only in the Password checkbox, and b) Enter the file's extension (please see EyesOnly before deciding just what that extension will be).

You will be protecting a file right in the current folder, so be sure to place the protected document there. The Password the user will be entering is simply the obscure name (minus its extension) for that file.

As an example, if your current document is named: "public_document.htm" and the file you wish to protect is "bbb.htm" :then if the user enters Password "bbb", file "bbb.htm" will open.

Notice that ALL your files with the stipulated file-extension that are in the current folder are reachable if their filenames are known (or are easily guessed!).

"Mask its entry" means that the *'s will appear in place of the actual characters as they are typed, in case there is someone peeking over the user's shoulder.

2) If you wish to require ONLY a UserID (a folder name):

On the Basic Tab shown above, a) put a check only in the UserID checkbox. You should create the folder to be protected as a subfolder of the current folder. The obscure name of that protected subfolder will be the UserID. Again, notice that ALL subfolders of the current folder are reachable. It is only those which you have named obscurely that are protected from the wild-eyed hippies. It is also VERY important to have a default file (like index.htm etc) in the protected subfolder, particularly if your server allows Directory Listing. See important caution below for more information about this.

As an example, if your current document is named: "public_document.htm" and the subfolder you wish to protect is "aaa" :
then if the user enters UserID "aaa", file "index.htm" will open if present, or a Directory Listing will appear if your server allows it.

"Mask its entry" means that the *'s will appear in place of the actual characters as they are typed, in case there is someone peeking over the user's shoulder.

3) If you wish to require a UserID (a folder name) AND a Password (a file name):

On the Basic Tab shown above, put a check in both the UserID and Password checkboxes. The protected folder, and be sure you've created it, must be a subfolder of the current folder. The name of that protected subfolder will be the UserID. The Password that the user will be entering is simply a file name (minus its extension) for a file in that folder. Again, notice that ALL subfolders of the current folder and ALL the files within them are reachable. Only if you have named either the folder and/or the files obscurely will they be protected from the drug-crazed-youth-of-today.

As an example, if your current document is named: "public_document.htm" and the file you wish to protect is "bbb.htm" in subfolder "aaa" : then if the user enters UserID "aaa" and Password "bbb", file "bbb.htm" will open.

The other Basic tab option is:

Open the protected document:

If this is a Framed document and you are adding the Behavior form of Password Protect 6, you are able to choose into which Frame the protected page will open. IF you are adding the Object form, then the protected page always opens in the same Frame as the Login Form.

It's as simple as that! Other than uploading the Password Protect 6 files to your server, you're done! But do be sure you understand the important cautions.

The User Interface For Advanced Users:

Advanced Users may also use the Advanced Tab's options to protect a file or folder anywhere on the site.

The User Interface is the same whether you are adding the Login Form as an Object or as a Behavior.

By default, the "current folder" radio button is selected and the protected files are in either the current folder or a subfolder of the current folder, (and in both cases a Password Protect file named "vwd_getpass6.htm" is copied into the current folder). But as an Advanced user, you may protect a subfolder elsewhere on the site (and the file "vwd_getpass6.htm" will be copied into a new location.)

Imagine this to be the path from your current document to your private file:

"../../xxx/yyy/aaa/bbb.htm", or graphically:

[With message A]
If you are requiring both UserID and Password:

You would enter into this field (by using its Browse button) "../../xxx/yyy/"
and the user would supply "aaa" and "bbb".htm to complete the path.
(Neither "aaa" and "bbb" will be visible in the Source Code).

The path in this field is also where the file "vwd_getpass6.htm" is placed, so "../../xxx/yyy/vwd_getpass6.htm".

[With message B]
If you are requiring only a Password, then:

You would enter into this field (by using its Browse button) "../../xxx/yyy/aaa/"
and the user would supply "bbb".htm to complete the path. Essentially you have entered the UserID FOR the user. (You are thus declaring the foldername "bbb" NOT to be private, and it WILL be visible in the Source Code).

The path in this field is also where the file "vwd_getpass6.htm" is placed, so "../../xxx/yyy/aaa/vwd_getpass6.htm".

[With message A]
If you are requiring only a UserID, then :

You would enter into this field (by using its Browse button) "../../xxx/yyy/"
and the user would supply "aaa" to complete the path, and bbb would have to be the default file, like "index.htm" or the user will see the entire "aaa" Directory Listing if allowed by the server.
(Neither "aaa" nor "bbb" will be visible in the Source Code).

The path in this field is also where the file "vwd_getpass6.htm" is placed, so "../../xxx/yyy/vwd_getpass6.htm".

Be sure to upload that "vwd_getpass6.htm" file to your server!

Looking at this in a slightly different way, the UserID is really a single folder name. But that's all it is. It is not a more complex path. With the Advanced tab's second radio button selected you may enter a more complex path since the user cannot (nor would she want to!) So here you can enter a complex folder path like "../../xxx/yyy". Then to access the file "../../xxx/yyy/aaa/bbb.htm" your user enters her UserID and Password, "aaa" and "bbb" respectively. You've entered the "../../xxx/yyy" for her. So this field is a way to enter UserID info FOR the user - either more complex path information than a simple folder name, or in lieu of requiring a UserID at all.

TIP: Any path information you enter in this field WILL be visible in the source code of the page. If you want the final folder name in the path to be secure, then you must ask the user to enter it as a UserID, in which case it will NOT appear in the source code anywhere.

More Advanced Options:

One additional 404 Title value:

Rarely needed, if your host's 404 page (the "file not found" page) does not contain any of the usual words of such a page in its Title) then in the "One additional 404 Title value" field, you'll have to add one a word that does appear in its title. Add a word that is unlikely to appear in any other document. The standard terms are "cannot", "unable" and "not found".

As it happens, the Title of the 404 page only needs to be checked by my code in rarely used browsers. This behavior is written so 95% of today's users (those using Safari1.2, IEwin5.x+, or Mozilla-based browsers on both PCs and Macs) will never see a 404 page at all; instead they are simply informed that they entered incorrect values. Another 4% of users or so will see the 404 page only momentarily and then be brought right back to the original page automatically. And only a few will be left on the 404 page (from which they return using the Back button.) These 1% or so are those who use Netscape 4.x, Omniweb5+, and perhaps others ?? (fyi Omniweb4- does not work at all so its users are told to upgrade.)

The single exception to this rule applies *only* to the 4% group mentioned above when you have a 1) applied the Extension as an Object, 2) only when it is applied to a Frame of a Frameset, and 3) only when you have instructed the protected page to open in that *same* Frame. With this uncommon combination of conditions, incorrect user-entry will result in the need for use of the 4% group's browser Back button to return from the 404 page.

Redefine Server Root:

Rarely needed, if your server is configured so your site is not in the root) For example, your url is like this: http://www.mainserver.com/~yoursiteroot then you would enter "~yoursiteroot" here.

Finally you may save your current settings as site defaults if you wish. The next time you apply the behavior those saved settings will be set for you automatically. There is also the option of deleting prior Site Defaults.

Don't forget !

Remember you will need to upload to your webserver:

1. The folder "vwd_scripts," and its contents, to the root of your site, and
2. The file(s) "vwd_getpass6.htm" which was added to your site.
   

NOTE: This extension can NOT function locally, so you must upload your pages and the necessary files to your webserver in order to test your work.

We've added some Tutorials !