Protect content of a personal blog with guest users

kirito · 2017-12-31 14:31:16

Hello, everyone. I implemented the smd_user_manager and cbe_frontauth plugins to protect the content of a personal blog.
I created a new user with zero privileges and the system works, except for one very very big problem which I didn’t think of: if a guest log in with the same username already in use he “steals” the session and the latter can’t navigate no more.
This is a personal blog with no more than a hundred of potential visitors (relatives and friends).

Is there a way to have a working (and secure) shared login for everyone or is it necessary that every single user is registered with his specific username?

Dragondz · 2017-12-31 14:38:06

Hi

maybe <txp:password_protect /> is more sweeted for your case:

Doc : <txp:password_protect />

Cheers.

colak · 2017-12-31 14:52:05

kirito wrote #308513:

Hello, everyone. I implemented the smd_user_manager and cbe_frontauth plugins to protect the content of a personal blog.
I created a new user with zero privileges and the system works, except for one very very big problem which I didn’t think of: if a guest log in with the same username already in use he “steals” the session and the latter can’t navigate no more.
This is a personal blog with no more than a hundred of potential visitors (relatives and friends).

Is there a way to have a working (and secure) shared login for everyone or is it necessary that every single user is registered with his specific username?

Maybe you could ask your visitors to register to see the content. In that way, sessions will not expire if someone else logs in.

kirito · 2017-12-31 15:45:52

Thanks for reply. I tried password_protect, but can not make it work… It just hangs after inserted username and password.
Then I really don’t like the pop-up window and the user can’t save the session for future visits (with cbe_frontauth can do this). You have to log in every time. Most of the visitors of this specific blog are really “low tech” persons, so I must be as much user friendly as it is possible…

As last resource I’m trying mem_self_register, so visitors can register themself, but I don’t like this solution so much. Strangers could self-register anonymously and I would need to check every user.

For me it would be much better to spread a “common” guest username and password. We are not speaking of strictly reserverd materials, I just want the site to not be easily accessible by everyone around the world and to be sure that no search engine (even malicious ones) can crawl the content.

Last edited by kirito (2017-12-31 16:07:21)

Bloke · 2017-12-31 17:50:47

Depending on your viewpoint, this feature of Textpattern introduced in the 4.0.6-4.0.7 era is either a welcome security feature or a royal pain in the butt. Prior to this change, anyone could log in with the same credentials from anywhere and “share” the account. This is not possible to circumvent any more, as it’s baked into the core code: any secondary login invalidates the session of the first.

As an alternative, you might like to consider smd_access_keys. That allows you to choose a public-facing resource (e.g. a blog section) and create a secure access token (a long string of numbers) that are required in the URL to unlock it.

No search engine is likely to randomly stumble across it, nobody who is not in possession of the key will be able to see it, and you can share the long URL with family and friends who can then bookmark it to reach the designated area of the site. Might be worth a try.

If you are in need of a Textpattern 4.6.2-version of the plugin, I can bundle one up for you, just let me know.

kirito · 2018-01-01 08:39:10

I will take a look at smd_access_keys.

For now I installed mem_self_register (with mem_form) cbe_frontauth cbe_members and smd_user_manager.
I created a new group with no privileges (with id=7) and modified mem_self_register code to assign every new user to this group by default. Somehow it works, but the site is in japanese, and for now I don’t understand very well how to customize the text messages in mem_self_register.
cbe_members forms (change and reset password) too, does some kind of magic and I can’t understand where to customize the html tags and format. It automatically spits out labels and inputs… :D Documentation doesn’t cover this and I’m a very beginner at PHP, so it’s a hard task for me.

This solution is beyond my very needs, but if I can manage to make it work fine with a nice look and feel I will leave this in place.

[OT] I’m maintining this japanese blog for my wife, but I’m italian… Since I discovered that txp-4.7 will support different language settings for frontend and backend I can’t wait to upgrade! [/OT]

kirito · 2018-01-01 09:04:14

Bloke wrote #308517:

If you are in need of a Textpattern 4.6.2-version of the plugin, I can bundle one up for you, just let me know.

LOL I missed this part. It seems that the current version doesn’t work with txp-4.6.2, does it? Some errors appear when trying to install.
Bloke, would you please update the plugin? I know, it’s Jan, 1st, we all should just lay in bed and sleep. Anyway… :D
Thanks in advance!

Errors:

User_Error "Specified key was too long; max key length is 1000 bytes".

And:

Fatal error: Uncaught Error: Call to undefined function mysql_error() in /media/Dati/html/txp-master/textpattern/lib/txplib_misc.php(1368) : eval()'d code:444 Stack trace: #0 /media/Dati/html/txp-master/textpattern/lib/txplib_misc.php(1368) : eval()'d code(85): smd_akey_table_install(0) #1 /media/Dati/html/txp-master/textpattern/lib/txplib_misc.php(1895): smd_akey_welcome('plugin_lifecycl...', 'installed') #2 /media/Dati/html/txp-master/textpattern/include/txp_plugin.php(541): callback_event('plugin_lifecycl...', 'installed') #3 /media/Dati/html/txp-master/textpattern/include/txp_plugin.php(50): plugin_install() #4 /media/Dati/html/txp-master/textpattern/index.php(211): include('/media/Dati/htm...') #5 {main} thrown in /media/Dati/html/txp-master/textpattern/lib/txplib_misc.php(1368) : eval()'d code on line 444

Bloke · 2018-01-01 12:22:43

kirito wrote #308519:

would you please update the plugin?

Try that

It’s not very well tested today (Happy New Year!) but I think it’ll work. Give it a whirl and if I’ve missed something, let me know.

kirito · 2018-01-01 15:20:17

Bloke wrote #308520:

It’s not very well tested today (Happy New Year!) but I think it’ll work. Give it a whirl and if I’ve missed something, let me know.

Happy new year to you too! It always shout the key too long error. Maybe it could be a problem with my configuration?

In the config panel if I try to save preferences it shout the same error and then appera this.

Not all table info available.

This is either a new installation or a different version
of the plugin to one you had before.

Click "Install table" to add or update the table
leaving all existing data untouched.

If I click install table then the same error about the key length appear.
Now I have to go. Thanks again. You’re great man!

Bloke · 2018-01-01 17:34:36

kirito wrote #308521:

It always shout the key too long error.

I’ll have to reduce the key size or column then. It’s a multi-byte thing. I’ve learned a little bit about setting key lengths properly when we implemented themes in core recently so I’ll go back and apply that knowledge to this plugin when I get the chance.

uli · 2018-01-01 19:32:23

kirito wrote #308518:

I’m maintining this japanese blog for my wife, but I’m italian […] can’t wait to upgrade!

Right now: Front-end in Japanese, back-end in Italian for you, in Japanese for your wife. (For any registered user in the language of her/his choice) [Edit: Link added.]

Last edited by uli (2018-01-01 19:33:40)

kirito · 2018-01-02 11:45:43

uli wrote #308523:

Right now: Front-end in Japanese, back-end in Italian for you, in Japanese for your wife. (For any registered user in the language of her/his choice) [Edit: Link added.]

I love you <3. And love the plugin developer, too!

Anyway, I managed to put in place a system with cbe_frontauth, smd_user_manager, mem_self_register and mem_form. It seems to work like a charm.
Users can register themself, recover their lost password by e-mail and manually change their own password if they want. It was not a so easy task, because documentation is a bit outdated and not so complete.

I would like to write a small tutorial with all the forms that I wrote down (also for my own future reference, just in case). Where is the best place for this?

A small improvement I would like to do is to register every user using the e-mail address also as username. I would get two results (two pidgeons with one bean, as we say in Italy :D ):

users would not need to remember their username in case they forget their password.
avoid the risk for a user to register multiple accounts with the same e-mail, because username (in this case the e-mail address itself) uniqueness is checked.

Someone can point me in the right direction before I dive in a tiresome exploration of mem_self_register and mem_form code?

Textpattern CMS

Textpattern CMS support forum

#1 2017-12-31 14:31:16