FAQ

I moved the .htaccess file to the right folder and it still gives me a 'unable to configure' message

2008-10-17T21:39:19.009-07:00

Double check your location -- So far in 100% of cases the person thought it was in the right folder but it wasn't. Remember you have to put the .htaccess in the exact same folder as the lockdown page.

I am using the 'alternate' config -- where do I place the .htaccess file?

2008-10-17T21:37:58.947-07:00

If you are using the alternate config you need to place the .htaccess file in exactly the same folder as the lockdown page.

I have a lot of passwords -- Can I easily 'bulk' import them?

2008-06-03T20:54:36.381-07:00

Yes: Lockdown has a 'import' feature in the setup menu that can import a CSV (Comma Seperated Value) file. Lockdown requires you only have two columns (username & password) so the file should look like this

john, secret
fred, topsecret
..... (etc.)

At least two columns are required (username & password) however you can add an optional 3rd column (Expire Date) and 4th column (redirect URL).

Can I "Force" a logout in LockDown?

2007-12-13T20:16:19.786-08:00

No. The technology that Lockdown uses doesn't have a 'logout' feature. The only way to force it is to quite the browser.

General Questions

2007-09-10T22:40:22.342-07:00

Can a single login name have more than one password?

2007-09-10T22:40:21.913-07:00

No. A login name can only have a single password.

Lockdown with several clients

2007-09-07T08:21:02.003-07:00

The short answer is yes, it is possible to use lockdown with several clients, there are two obvious ways of doing this.

First you can just have mulitple lockdown pages. This is the most secure since you can control exactly who can see what and clients cannot see each other site (because they have their own protected lockdown pages)

The second way is to have a single lockdown page with multiple users but redirect them to their own page. The only trick with this is you need to make sure you disable the client's in the menu )so they can't see each other). You may also want to put them in different unobvious folder names because while they won't see each other it is possible for 'client 1' to go to 'client 2's page if they know eactly where to look.

Which way you pick is really a function of how secure you have to be and how complex you want your site and site administration to be.

How do I set the Base URL?

2007-08-31T10:19:25.879-07:00

The base URL is set via the site setup. This can be accessed from cmd-1 or site->Show Site Setup

see Here and Here for a nice description of setting the base uRL

I still don't get the alternate config

2007-05-16T09:29:29.072-07:00

I've put together a small screencast that shows how to do the alternate config. you can watch it by clicking here

Lockdown won't recognize my passwords

2007-05-11T10:03:53.214-07:00

If you try lockdown and you get a password prompt on your webpage but the password is never recognized there are a few things to check.

Do the 'obvious' stuff. Confirm the password, make sure caps lock isn't on, etc.
If that doesn't help you may have a problem with the encryption type used. See the MD5 vs. CRYPT entry in the FAQ.

MD5 vs. CRYPT

2007-05-11T10:00:42.422-07:00

Starting with lockdown 1.68 the option was added to the setup menu to select two types of encryptions. MD5 or CRYPT.

What happens is the passwords are stored on the server encrypted -- Previously Lockdown used MD5 style encryption which is very strong and allows for long passwords. However some servers don't support MD5. In that case you can select CRYPT.

The only thing to be aware of is that using CRYPT requires the password is < 8 characters. Anything over 8 characters is ignored so if you have a password of "goatcheesesteak" and "goatcheesesandwich" they would both appear to be the same password to CRYPT where MD5 would recognize them as being different.

In general I recommend MD5. If that works you are done. If, however, you have problems with passwords not being recognized you may want to try CRYPT to see if it fixes the problem.

I get an internal server error

2007-04-28T08:50:39.173-07:00

If you install Lockdown and get an internal server error

The most probably cause is that you uesd the 'alternate config' (where you drag the htaccss file over) and something happend incorrectly.

To fix it, delete the old htaccess file and try again making sure to copy over the filepath exactly.

On per-user redirection how does it decide?

2007-04-24T20:33:03.947-07:00

It uses the login name to decide where to redirect people to. You need unique login names for everyone you want to redirect.

If I use per-page redirect can the users see each other?

2007-04-24T20:30:57.964-07:00

The short answer is yes, it's possible for them to look at each others information. A single lockdown page protects all of the content that is 'nested' beneath it. You can minimize this by hiding the pages from the sidebar and using unusual foldernames but it's still possible for them to directly navigate to each others lockdown pages.

If you really want to have a single login page but each person to have a unique, protected, site you need one main lockdown page that just redirect people to a 2nd lockdown page that is unique to them. Unfortunately this will require they 'log in' twice.

What is redirection?

2007-04-24T20:25:23.805-07:00

Redirection is the ability of the Lockdown page to 'Push' you to a new page. There are two types of redirection available in Lockdown.

You can have the lockdown site redirect ever vistor to a new page by entering the page and selecting 'redirect' on the front lockdown page

You can also have a unique page redirect on a per user basis by entering it next to the passwords, this is useful if you have multiple clients and want them to each go to their own page.

Page Redirection

2007-04-24T20:25:23.324-07:00

I lost my registration code, How can I get it back?

2007-04-16T00:01:00.713-07:00

To retrieve lost license codes you need to go to two spots and fill out forms (It's two spots because there are two different ways to get licenses that have different retrieval methods -- Just do both and you should be good to go

http://store.esellerate.net/support
https://store.loghound.com/store/lost_license

You will need the email you used to register the program -- All of your esellerate and loghound purchase serial numbers will be resent to you.

I got a lot of undefined errors

2007-04-15T23:42:41.387-07:00

If you get a lot of undefined errors like this


Notice: Undefined variable: HTTP_REFERER in (some path) on line 186
Notice: Undefined index: SCRIPT_URI in (some path)on line 187

The likely cause is your web host has set default PHP warning level too high. To fix it put the following in the 'page prefix' section of the page

<?PHP
error_reporting(E_ERROR);
?>

I removed a lockdown page but it still asks for a password!!!

2007-04-14T22:55:52.944-07:00

If you didn't use the 'alternate' technique to create the lockdown page you can remove it by simply unselecting 'password protect this page' and republish.

If, however, you had to use the alternate approach *OR* you already removed the lockdown page you have to manually remove the password protect. Fortunately this is easy.

Use a program like transmit and log into your server. Navigate to where the lockdown page was
Turn on 'show invisible files' from the view menu
You should see a file called .htaccess -- Delete this file and it should stop asking for passwords.

General Tips

2007-04-11T23:57:05.443-07:00

Problems

2007-04-11T23:56:50.851-07:00

Testing

2007-04-11T23:56:37.179-07:00

Password Expiration

2007-04-11T23:52:52.691-07:00

Starting with Version 1.5 of Lockdown you can now 'Expire' Passwords. This is useful if, say, you want to grant access to someone for a few days and don't want the system to automatically disable access.

To use it simply type in the expiration date next to the password. you can also use things like "Next week" or "In 3 days" (of course you can also simply type a date in)

once a user 'expires' the field grays out to tell you they are no longer have access. At this point you can ignore them, delete them or re-enable the account by putting a new expire date. The default of ignoring them has the same effect of removing them. They no longer have access to the site.

Please not that this feature is different than account time outs you may have seen on sites like Amazon.com (which automatically log you out after a preset amount of time with no activity).

Limitations in Removing users

the default behavior is 'Never Expire' but you can optionally give a date after which the account would nominally not work.

Unfortunately there are so many different ways web hosts configure their servers that it will work different ways for different people.

For everyone everytime you 'publish' out of RW if the 'expiration date' has been exceeded that user will no longer be authorized (it'll still show in the list but be grayed out) and their account will be removed from the web site.

For some (many) people I will be able to remove them *without* republishing (on the fly) sometime after the expiration date.. It'll depend on someone (anyone) visiting the lockdown page which will trigger the removal of expired users.

For some folks (anyone who has to use the 'alternate configuration method') I am not able to turn off account access on the fly, I will be able to stop them from seeing the content on the actual lockdown page but that person could still be able to jump to a nested page (until you republished the site at which point they would be locked out)

The key message is that it will work fine if you are willing to live with the 'expiration' date as a 'do not shut them off sooner than this date but it's-ok-if-they-have-access-beyond-that-for-a-bit' where the 'a bit' is defined by how often you republish your RW site, how active people visit it and how often the lockdown page is visited.

Embed Username/Password

2007-04-11T23:52:15.160-07:00

NOTE: This technique depends on the browser implementing the feature. While it still works with Firefox internet explorer has turned this feature off for security reasons. I'm keeping the FAQ item here for reference but it's not recommended to be used anymore.

Lockdown pages are great for securing a web site or portion of a web site from prying eyes and since you can add as many users as you want you can really control who has access (and you can turn off access when you want)

But some times you want to keep something secure from people who don't know you but you want to provide an easy way for anyone who does know you to view the content (say you send an email out and don't want to have to spend a lot of time telling them e-mail & password)

A simple solution is to embed the username and password in the URL.

For instance I put a "Secret Page" here with a username of "Secret" and a password of "Page" but my dear old grandmother isn't very comfortable around computers and I really don't want to say

"Granny, To see pictures of the kids please go to http://www.loghound.com/lockdown/FAQ/embedpassword/secretpage and when it asks you for a username/password type in "Secret" for the username and 'Page" for the password.

Instead I would like to say, "Gran's, here is a link to a page to
visit
http://secret:page@www.loghound.com/lockdown/FAQ/embedpassword/secretpage

Viola! Like magic you have a page that is secure from prying eyes but dear old Gran can easily see it without memorizing usernames/passwords.

The secret is to put the username and password after the '//' and with a colon in between them, and a @ at the end (before the web site)

e.g. http://username:password@www.loghound.com/....

It's also possible to 'bookmark' the site on Gran's computer so she can just 'jump' to the site and not worry about passwords.

If later you decide that Gran has forwarded it on to too many relatives and you wish to secure it from Uncle Fred (who you never liked much) you can always change the username and password to something else and the next time anyone follows the link it will not accept the original username/password and will ask for a new one (of course this will make Gran mad so use with Caution)

If you have any suggestions on how to improve this tutorial please contact me.

Page Redirects aren't working

2007-04-11T23:52:06.082-07:00

For page redirects to work you need to make make sure a few things are correct.

Check to insure that your base URL is set (see Here and Here for good details).
If you are redirecting to a page not on your RW3 file (such as an offsite page) make sure it's properly formatted with a http:// in front

Authorization (401) redirects

2007-04-11T23:51:52.459-07:00

Releases of Lockdown prior to 1.65U had a problem with Authorization redirects (also known as 401 redirects)

You see 401 redirects require that the redirect page be an absolute path on the server (such as '/pages/error.html) while the other error pages allow full URL's (such as http://www.google.com)

See here for a write up of this but the short answer is I now specifically disallow external URL's and format the internal (e.g. within RW) urls as absolute paths.

There is one odd side effect that I don't completely understand. If you go to a document with a password and hit 'cancel' it keeps on asking you. If you hit cancel enough times it eventually directs you to the error page *minus* the CSS, javascript, themes, etc.

If anyone understands why let me know. I've been scratching my head over it and don't have a good answer yet.

In the meantime if you have this problem the easy solution is to use a HTML page without a theme (you can turn the theme off for HTML pages) and have a simple document saying with a URL link back to the main web page.

It only asked for the password once..

2007-04-11T23:51:20.870-07:00

You will find that a lockdown page will only ask for a password once. This is because the browser 'remembers' the password and automatically gives it to the lockdown page.

You can test this by completely exiting the browser (or running a different browser such as opera or firefox) -- you'll see it ask for the password again.

when I go to a lockdown page I get weird HTML

2007-04-11T23:51:09.994-07:00

If you go to a lockdown page and get HTML like this:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="all" /> <meta name="generator" content="RapidWeaver" /> <meta name="generatorversion" content="3.5.1 (Build 264)" /> <title>lockdown</title> <link rel="stylesheet" type="text/css" media="screen" href="../rw_common/themes/aqualicious/styles.css" /> <link rel="stylesheet" type="text/css" media="print" href="../rw_common/themes/aqualicious/print.css" /> <link rel="stylesheet" type="text/css" media="handheld" href="../rw_common/themes/aqualicious/handheld.css" /> <link rel="stylesheet" type="text/css" media="screen" href=....

Then odds are your web host does not support PHP. While most hosts do some do not on their lowest cost plans.

Unfortunately lockdown requires PHP, you might contact your web host support team to find out if they can enable PHP for you.

why am I being asked for my password twice?

2007-04-11T23:50:46.095-07:00

If you use page redirection you may find that you are being asked for the same password twice. Below is an excerpt from a nice summary of the problem (the original text can be found here. You might also want to look at a solution a Lockdown customer came up with for this here.

When entering a password-protected web site for the first time, you will occasionally notice that you are asked for your password twice. This may happen immediately after you entered the password the first time, or it may happen when you click on the first link after authenticating the first time.

This happens for a very simple, but nonetheless confusing, reason, again having to do with the way that the browser caches the login information.

Login information is stored on the browser based on the authentication realm, specified by the AuthName directive, and by the server name. In this way, the browser can distinguish between the Private authentication realm on one site and on another. So, if you go to a site using one name for the server, and internal links on the server refer to that server by a different name, the browser has no way to know that they are in fact the same server.

For example, if you were to visit the URL http://example.com/private/, which required authentication, your browser would remember the supplied username and password, associated with the hostname example.com. If, by virtue of an internal redirect, or fully-qualified HTML links in pages, you are then sent to the URL http://www.example.com/private/, even though this is really exactly the same URL, the browser does not know this for sure, and is forced to request the authentication information again, since example.com and www.example.com are not exactly the same hostname. Your browser has no particular way to know that these are the same web site.

Password Expiration

2007-04-11T23:50:26.825-07:00

To use it simply type in the expiration date next to the password. you can also use things like "Next week" or "In 3 days" (of course you can also simply type a date in)

Limitations in Removing users

GoDaddy Users

2007-04-11T23:50:11.007-07:00

If you are using GoDaddy.com it does support lockdown if you have the right account type and a little patience :-)

Go Daddy offers both Windows & Linux hosting... The windows hosting doesn't work with Lockdown.... For 99% of people Linux hosting is a better bet anyway. If you are on windows and don't really need it I would contact godaddy and see if they can switch you.

GoDaddy has a (slightly) strange behavior. It takes a few hours for Lockdown to work. I've had a bunch of people with problems on GoDaddy and eventually I went ahead and signed up to see what the deal was (so i know for a fact this is true). Turns out when you first lockdown a page no password is asked for but go back to it a few hours later and Viola! Lockdown page...

I think it's due to how they manage their filesystems but if you do a lockdown page... Visit it to get the 'you should be locked down' message and then wait a few hours.

Bottom Line: Verify you have a Linux account, if you don't send godaddy a request to switch you. If you do have a linux account just wait a few hours.

How do I enable PHP on my Mac?

2007-04-11T23:50:02.522-07:00

If you want to use Lockdown from your mac you also need to enable php -- This is fairly painless and just requires editing httpd.conf file.

There are many good tutorials on the web (just google for it)

Lockdown on OSX

2007-04-11T23:49:04.480-07:00

How to Configure Lockdown with Personal Web Sharing

AKA How to get it to work with your Mac's built in web server

Mac OSX comes built in with the worlds best web server (Apache) but by default it does allow a user to enable passwords on a per-directory basis. This feature is called 'AllowOverride' and by default it's turned off so Lockdown doesn't work.

Fortunately the solution to fix it to allow Lockdown is quite easy but does require you are comfortable with editing config files.

You need to use a tool that can open 'private' files, in this example I use TextWrangler because It's free and I love it. If you are a Unix Hacker you can jump to the very bottom of this page to see how to modify this from the command line which is less steps and arguably easier but requires you know vi.

Open the file:

/private/etc/httpd/users/[username].conf

Where [username] is your 'short' username. In my case it's 'johnmcl'. Because this is a so-called private file you have to either open it from a terminal window using a command line tool such as 'vi' or use a special feature of TextWrangeler called 'Open file by Name'

In my case I typed in

/private/etc/httpd/users/johnmcl.conf

The file looks like this

<Directory "/Users/johnmcl/Sites/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Now I want to change the 'None' to 'All' and TextWranger warns me.

Clicking yes, I modify the file to AllowOverride

<Directory "/Users/johnmcl/Sites/">
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>

And save the file... TextWrangler needs to verify I can modify this password

No problem.. I type in my password and save... The only thing left to do is to restart the web server to have the new settings take effect.

Go to System Preferences -> Sharing

Highlite "Personal Web Sharing" and click 'stop', give it a second to stop

And then click 'Start' to restart it... That's it! Lockdown should not be enabled!

Command Line

If you prefer you can also do this from the command line. Assuming you are logged in as the user who you want to enable LockDown at the command prompt type

sudo vi /private/etc/httpd/users/$USER.conf

Give it the password, and modify the 'AllowOverride' to 'All' from None, save it, restart Apache and you are finished!

T_STRING parse error

2007-04-11T23:48:56.435-07:00

If you get the following on a Lockdown page

Parse error: syntax error, unexpected T_STRING in xxx on line 1

Where 'xxx' refers to a path on your system then you probably have 'Use XML Declaration' enabled in the page inspector (Apple-I)

Simple turn it off to make this error go away

Plugins in 3.5

2007-04-11T23:48:33.745-07:00

All loghound.com plugins work on RapidWeaver version 3.2 and 3.5.

If you are having a problem running a plugin under 3.5 here are a few troubleshooting tips.

1) Verify that you have the latest version of plugins. You can get the newest version via the "Change Log" for each plugin
2) Make sure you COMPLETELY remove the old plugin first by moving it to the trash (via the finder) You can follow the instructions for 'installation' for each of the plugins
3) Make sure RapidWeaver is called "RapidWeaver", there can be problems if it's called something like "RapidWeaver 3.5"
4) If you still have problems bring up Console.app and then run RapidWeaver to see what kind's of messages are put out.

Troubleshooting via test pages

2007-04-11T23:48:22.347-07:00

If you are having problems getting lockdown to work my first suggestion is always "create a small test page".

By this I mean create brand new site in a brand new RapidWeaver file that has a simple lockdown page, it it put the following contents

<?php

print "The current directory is: " . getcwd();

phpinfo();

?>

and publish it somewhere 'off to the side' on your server (off to the side means create a blank private URL on your web server that you can post this to as an experiment)

If you publish one of these test sites and you still see the same problem then we may need to diagnose a server issue. In this case I'll ask you to send me two things

the 'small' RapidWeaver test file (it should be quite small, < 100kB) that you created above.
A copy of the web page from the sever (this should also be quite small, < 100kB or so)
- This is a critical item. What I want you to do is to ftp login to your sever using your ftp client of choice (I use transmit) and drag the folder that you just published to your desktop. Then right click and select 'Create an Archive'.

Send both of the files (the Rapidweaver file and the zipped up site) to me to help diagnose the problem.

With these two files I can see exactly how you published your information and what eventually got on the sever

As a convenience here is a small RW3 file you can use for testing.lockdowntest

Try before you buy

2007-04-11T23:47:55.595-07:00

With the exception of .MAC Lockdown works on almost every web host. Occasionally there are a few hosts that have problem.

before you buy lockdown please do two things:

First check your web site for compatibility using my handy test tool here.
If it passes the test above download a version and try it. The only limitation of Lockdown without a registration code is you can't save your work to a Rapidweaver file.

To try it first download, install it and create a simple web page with only a lockdown page.

Publish the page but don't save it (Rapidweaver will ask to save it, just say no) and then visit it. If it says that Lockdown worked and you get the username/password prompt then you are good to go!

If it asks you to try the alternate instructions then try those and verify it works (again, don't try to save your Rapidweaver file).

FAQ

I moved the .htaccess file to the right folder and it still gives me a 'unable to configure' message

I am using the 'alternate' config -- where do I place the .htaccess file?

I have a *lot* of passwords -- Can I easily 'bulk' import them?

Can I "Force" a logout in LockDown?

General Questions

Can a single login name have more than one password?

Lockdown with several clients

How do I set the Base URL?

I still don't get the alternate config

Lockdown won't recognize my passwords

MD5 vs. CRYPT

I get an internal server error

On per-user redirection how does it decide?

If I use per-page redirect can the users see each other?

What is redirection?

Page Redirection

I lost my registration code, How can I get it back?

I got a lot of undefined errors

I removed a lockdown page but it still asks for a password!!!

General Tips

Problems

Testing

Password Expiration

Limitations in Removing users

Embed Username/Password

Page Redirects aren't working

Authorization (401) redirects

It only asked for the password once..

when I go to a lockdown page I get weird HTML

why am I being asked for my password twice?

Password Expiration

Limitations in Removing users

GoDaddy Users

How do I enable PHP on my Mac?

Lockdown on OSX

How to Configure Lockdown with Personal Web Sharing

AKA How to get it to work with your Mac's built in web server

Command Line

T_STRING parse error

Plugins in 3.5

Troubleshooting via test pages

Try before you buy

I have a lot of passwords -- Can I easily 'bulk' import them?