SSL and password questions

[FluidBrix]

I'm an artist and have limited knowledge of server stuff so bare with me.

I set up a subdomain for a client with SSL. When you go to the http URL it
checks the browser and if it is Internet Explorer 5.1 or later it re-directs to
the client sign in page which is https and contains a flash file that they can
enter their username and password. If they enter the info correctly it sends
them to the https page for their company.

The problem I have is that if someone types in http with the name of the
client page it won't be protected by SSL nor does it check their login and
password.

Is there a way I can setup the pages to automatically load as https?

Is there a way to send the login and password to a cookie or something else to
make sure other people can't access the client pages by just typing them in?

There is confidential data and video footage that will be stored here for
motion picture companies to access so it must be 100% secure. Thanks

[nisav19]

if your using something like php, coldfusion or asp, you can capture the url
the customer is trying to go to..pull the url apart and see if they are using
http or https, if they are using http then redirect to https, if its already
https then dont do anything. you would put this about the opening <html> tag
on every page..if there is more then one.... if there is only one page that
you need to do this one then instaed of pulling the url apart..which is just
extra work..you can compare the url they typed in to a static url in your code..

are you doing everything in just straight flash...or are there other languages
being used...

[FluidBrix]

Originally posted by: nisav19
if your using something like php, coldfusion or asp, you can capture the url
the customer is trying to go to..pull the url apart and see if they are using
http or https, if they are using http then redirect to https, if its already
https then dont do anything. you would put this above the opening <html> tag
on every page..if there is more then one.... if there is only one page that
you need to do this one then instaed of pulling the url apart..which is just
extra work..you can compare the url they typed in to a static url in your code..

are you doing everything in just straight flash...or are there other languages
being used...

I don't do any backend programming. The page with flash is just a
login/password window that checks the input text of the dynamic text fields and
when you click a button it takes you to the correct https page. I'm not using
PHP or cold fusion or anything. The client pages are all HTML and will have
links to quicktime content. I was hoping there would be a way that if someone
just types the URL of the clients page it will reject the request and not load,
or the flash file will store the username and password in the browser cache or
a cookie to make sure unwanted visitorscan't access the pages. I don't know how
to make cookies but will do what I must to make this work.

[nisav19]

i did some research...couldnt really find any clean way of doing this..but came
up with 2 things...
1) since you are using flash...post this on the flash forum, if you havent
yet, and see if anone there knows if there is a way to do this in flash..

2) since you are using HTML, you can use an IFRAME to load the flash file
from an https source and no one would know...

<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>

<iframe src="https://www.mysite.com/someflashfile.swf" width="100%"
height="600" frameborder="0"

</body>
</html>

so even if the user goes to [url]http://ww.mysite.com[/url] the HTML page that loads up
will load the flash file from the https location...

[Lionstone]

You can set up your server to only serve https requests, or you can try one
of the various methods out there to do an https redirect.

To not serve direct URLs, you'll have to protect each page. Session
variables are the usual method, but cookies would work, too. Check for the
existence of the user name in the session or cookie. If it exists, then
continue, if not, redirect to a "not authorized" page. This would require
you to use ASP, PHP, or ColdFusion (or JSP or...), though, because the web
server has to do the work. Anything done on the client (i.e., with
JavaScript) can be defeated VERY easily.

DW has a built-in server behavior called "Restrict Access to Page" that will
do what you need. See what you can use, then find the behavior in that
server model. We can help you set up a login so that the restrict access
behavior will work even if you don't use the companion log in behavior,
which requires a database. We can get around that without much trouble.

"FluidBrix" <webforumsuser@macromedia.com> wrote in message
news:d758c1$kdg$1@forums.macromedia.com...

> I'm an artist and have limited knowledge of server stuff so bare with me.
>
> I set up a subdomain for a client with SSL. When you go to the http URL it
> checks the browser and if it is Internet Explorer 5.1 or later it
> re-directs to
> the client sign in page which is https and contains a flash file that they
> can
> enter their username and password. If they enter the info correctly it
> sends
> them to the https page for their company.
>
> The problem I have is that if someone types in http with the name of the
> client page it won't be protected by SSL nor does it check their login and
> password.
>
> Is there a way I can setup the pages to automatically load as https?
>
> Is there a way to send the login and password to a cookie or something
> else to
> make sure other people can't access the client pages by just typing them
> in?
>
> There is confidential data and video footage that will be stored here for
> motion picture companies to access so it must be 100% secure. Thanks
>

[FluidBrix]

I don't think I can setup my server to accept only https because it's a shared
server and I don't see anywhere you can enable that feature. Forgot to mention
that.

What I did for now was to put each of his client's html pages inside their own
folder and then password protect the directory from my server's control panel.
This should be fine and it's simple to setup and I can even get rid of the
login and password flash file and just have client's enter their company name
or click a hyperlink to jump to their main page.

If you think using the server behavior is better I'm willing to give it a try.
My control panel allows me to create databases so if need be I can probably
create one easily.

[Lionstone]

The way you have it works just as well. It's using the server, too. The
only problem is that any browser other than IE will transmit the password in
plain text. But since you're using SSL, that's not really an issue. :)


"FluidBrix" <webforumsuser@macromedia.com> wrote in message
news:d77r7a$est$1@forums.macromedia.com...

>I don't think I can setup my server to accept only https because it's a
>shared
> server and I don't see anywhere you can enable that feature. Forgot to
> mention
> that.
>
> What I did for now was to put each of his client's html pages inside their
> own
> folder and then password protect the directory from my server's control
> panel.
> This should be fine and it's simple to setup and I can even get rid of the
> login and password flash file and just have client's enter their company
> name
> or click a hyperlink to jump to their main page.
>
> If you think using the server behavior is better I'm willing to give it a
> try.
> My control panel allows me to create databases so if need be I can
> probably
> create one easily.
>

[FluidBrix]

On the index page I have a browser check for IE 5.1 or later.

Not sure how to do it on the actual client page since you need to specify a
URL to go to if the browser meets or fails the requirements.