[pgo]

So, I was thinking the other day, how do you go about providing a private viewing area for a client, so that they can see their site (from any location) on a private server (or directory, etc).

Do you create a directory "/dev/" and hide it from robots? Or password protect it through whatever means (control panel, etc.)? Does a password protected directory cause any problems with file paths?

I've used several of the "all in one" AMP solutions for local development, but they've always got a problem - either I can't get MySQL to work correctly, or some other strange thing. (However, I've got much greater success than trying to install each individually...). Still, it's easier than keeping an FTP connection alive and synchronizing the files every 5 minutes or so.

I was thinking of a local server for everyday development (does this compromise the security of my home system??) and a protected area on a hosting account for clients to view their product and request changes before going live.

These are issues that haven't really affected me yet, but with a project coming up soon (and another one a good possibility in the months to come) I'm going to need a solution.

What system do you have in place? Please share and be detailed - especially regarding password protected directories as that's the one area I'm especially clueless about.

[mike_m]

what kind of server are you on?

[cam]

Quote:

Originally Posted by pgo

I was thinking of a local server for everyday development (does this compromise the security of my home system??)

I'd recommend setting everything up yourself, just for experience, but i've tried Xampp (one installer file setups apache, mysql, phpmyadmin, etc) before and had no problems. And no, running stuff on localhost doesn't comprise your security.

As for the client-facing stuff, if you're just looking to show a client the current status of a project and nothing more then a plain vanilla htaccess would do the trick. you could of course always spend ten minutes and write some user-authentication script in php or whatever so you could customise the interface.

If you're looking at actually collaborating with a client as well (e.g. they can leave feedback on what you're doing, add feature requests, bug-reports, etc) then you're moving into the realms of a client extranet - which from the sounds of it you couldn't make yourself (realistically), but there are plenty of opensource and off-the-shelf solutions available, none of which i've used enough to be able to recommend.

let me know if i've been too vague there at all and i'll try and help you out more. just back from my first proper cycle in eight months (been ill) in 80% humidity - yuck.

[pgo]

@mike - Just a shared hosting account on a Linux server.

@cam (and anyone else)

I've been using PHPdev at home - and it seems to work alright. I haven't used it too much. I've tried installing them (AMP) individually several times and had no luck.

Mostly, the idea is for clients to be able, once in a while and particularly before going live to sign off on it.

I'm not concerned about an extranet, so to speak, just a private area where client(s) can view work without the risk of robots accessing (easy with robots.txt) and without "undesirables" snooping around (breaching any confidentiality agreements) in whatever folder - say, /dev/companyname/ and all its subdirectories/files.

What are you suggesting doing with htaccess? Only allowing certain IPs into directory "x"? Password protection? Something I probably haven't thought of?

[cam]

Just password protect it via htaccess/htpasswd

[pgo]

Quote:

Originally Posted by cam

Just password protect it via htaccess/htpasswd

Right-o. Thanks cam.

[smallbeer]

the search engines won't find them unless you link to them.

[pgo]

Good point. All the same, I'll use robots.txt for that extra level of private goodness.

[paulanthony]

Quote:

Originally Posted by cam

And no, running stuff on localhost doesn't comprise your security.

That depends what you choose to run and how you choose to run it. A default IIS install on localhost is a gift from the gods. I know you are considering an AMP setup - as with anything unless you update and patch it would be nieve to think its gonna be risk free.

[paulanthony]

Quote:

Originally Posted by smallbeer

the search engines won't find them unless you link to them.

Just a note that it is possible for other people to link to them without you knowing, I have had a link to a domain appear through a "recently registered domains" page on some site.

http://www.domainregistry.ie/weekly.php

[cam]

Quote:

Originally Posted by paulanthony

That depends what you choose to run and how you choose to run it. A default IIS install on localhost is a gift from the gods. I know you are considering an AMP setup - as with anything unless you update and patch it would be nieve to think its gonna be risk free.

And you'd be accepting external connections onto a local development server why?

[paulanthony]

Because by default it accepts the connection.

[pgo]

How would one disable all external connections in Apache, then?

On a related, slightly funny note - I decided to try my home IP address from work and I came up with a password prompt for my router - then realized I hadn't changed the password from the default! Whoops! Coulda been big trouble.

[mike_m]

Quote:

Originally Posted by cam

Just password protect it via htaccess/htpasswd

yup, what he said

[pgo]

Thanks, will do.

As far as local development, I won't worry too much. I'll just use an installer, get AMP working locally (it is already, actually) and make sure my router is nice and secure (which it should be already).

[Limbo]

It's a nice touch to give you clients a login area with small news board and links to new and old version of the site ordered by revision. The 'red carpet' if you like. Make them feel special and it looks professional too - even if the technology is crude (i use a dead simple login script and give all clients a password that matches their directory name eg. www.mysite.com/clienta -> password pushes them to the index for that directory.)

[pgo]

Quote:

Originally Posted by Limbo

It's a nice touch to give you clients a login area with small news board and links to new and old version of the site ordered by revision. The 'red carpet' if you like. Make them feel special and it looks professional too - even if the technology is crude (i use a dead simple login script and give all clients a password that matches their directory name eg. www.mysite.com/clienta -> password pushes them to the index for that directory.)

I read up on and played with htaccess authentication. Don't care for it - it feels unprofessional. I'll just do something similar to what you're talking about, Limbo - just a PHP password protected directory for each client. Perhaps a "client area" page with my logo and a login screen (enter your company name/password).

[Jason1988]

What you should do is have an ASP or PHP access restricted page, then you could restrict access to anyone exept the person you want to get on the page.

This means robots wouldent be able to access the page even if they wanted to, I know the ASP code but not the PHP.

ASP code is as follows;

<%@LANGUAGE="VBSCRIPT"%>
<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers=""
MM_authFailedURL="ACCESSDENIEDPAGE.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthor ization"))>=1) Then
MM_grantAccess = true
End If
End If
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL")
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
Response.Redirect(MM_authFailedURL)
End If
%>

Make sure this ASP code cross refrences the username + password in the database, so that people cant just login or watever. Hope this helps. =)

[pgo]

I think I'm going to do something in PHP - seeing as my host doesn't support ASP (ASP hosting is generally more expensive, too).

Thanks anyway!

[Dusteh]

I want a single login page that allows multiple usernames/passwords, so that each seperate username is pushed onto a different index page, just so that you can have a single client login section that everybody can use.

Sadly I'm a graphic designer not a coder and don't know how to make this. Anyone found a script for this? It seems such an obvious thing I can't believe its not out there as open source already. ASP or PHP, doesn't bother me as to which one.

Maybe I'm just greedy/lazy (delete as applicable)