Streaming live at 10am (PST)

Private pages secure?


#1

Hi,

I set up one private page among many other public pages to see how secure it is. The published page seems to only ask for the password once. After that the private page stays open, even if the tab/window of the whole published site has closed. The password only seems needed to put in anew if the browser itself has been closed and opened.

That does not seem very secure nor private to me. For instance in my case I close tabs all the time but there are days that I don't close my browser, so all that time any other user of my computer would have access to that private page. If I do that, at least some customers do the same.

Is my observation for the private page being quite insecure correct or am I missing something? I logged out to see if that made any difference but it doesn't.

Anybody more information on this?

Thanks


Here is my public share link: https://preview.webflow.com/preview/flux-trainingen?preview=d9d668d9795d7f0fe07c5f2730ed47b5
(how to access public share link)


#2

Hi @Wim, thanks for the good question. The pages are still secure, it just means that when you have put in the password the first time, the encrypted password data that is verified to gain access has been cached for that browser session so that it is not needed to type in the password all the time.

This is pretty standard behavior for password protected pages.

I might be misunderstanding the issue, but the pages are still secure, i.e. someone without the password would not be able to read that page from another computer which did not already previously login with the password.


#3

Hi Dave,

Thanks for the information.

I don't think it is standard behavior of secure pages that they are freely accessible all the time. Like with banks and most secured pages after limited time of inactivity you have to log in again, and certainly most of the time when the window has been closed.

The issue is that if somebody has a home computer that is being used by other persons the page is freely accessible without a password by anyone until the browser has been shut down. Or imagine somebody opening a private page on a public computer and only closes the window but forgets to close the browser. Anybody could just access that private page from history. Or somebody at work having looked up the private page, opening other tabs, forget about the private page, walks away, somebody else uses the same computer and can freely access that private page. Not very secure.

Is there anything, like extra code, that can be done to have more privacy and security? Like a 10 minute inactivity shut down, etc.?

Thanks


#4

Hi @Wim, thanks for getting back to me. I think you make some valid points for sure, and something that our team can look at.

I guess what I mean't is that when you are using another online service, lets say google, password protected pages are cached to your login and the user session lasts for anywhere from 1 day to 30 days.

I totally agree there are password protection mechanisms that do automatically re-protect the page after a certain amount of time, and I think it is definitely something that could be added to the https://wishlist.webflow.com and get that discussion going.


#5

Oh god please don't.
You are telling me you don't lock your computer when you are done using it?
You are telling me you are using banking applications on public computers
or passwords on public wifis?

facepalm :joy:

Did you know that the webflow app doesn't log you out automatically either?
You want to see a timeout protection applied everywhere I guess.
Horrible idea.

Except for banking applications, can you name just three more websites that do that?
I'm curious.


#6

Hi @Karl-Heinrich, @cyberdave,

I don't use public computers at all, I have no banking app on my mobile phone, my computer locks by itself after 5 minutes of inactivity. I am not stupid. What I do not always do, is completely close my browser after having logged in on a secure page. Because I assume when I close the window that site is gone. I just checked with Google apps. If I close the window or tab and have no other Google pages open, I have to log in again with a password. (I am in Europe and perhaps this is different from USA, @cyberdave). I have no problems with the Webflow app staying open. Although if somebody else would use my computer I would log out. Imagine a kid of a builder playing around in Webflow.

The private page I don't want for myself. It is for students that treat clients. Those clients give me feedback and I want a system so the student has access to an edited version of that feedback. The feedback from the customer is sensitive and delivered in good faith. If the feedback gets into wrong hands, or even read by people who have nothing to do with it, my integrity is at stake because my customers and students trust me. And that makes me very nervous. Because if things can go wrong, they might go wrong. And with this kind of security, chances are higher it might go wrong. Not everybody is smart with computers and even if I would instruct students that they have to close the browser after looking at the page, some will not. And frankly if I would instruct my students to tell they have to close the browser, it shows lack of security. My thought as a student would be: "oh wow, that site is apparently not very secure. Why did he choose for such an amateur setup if information is sensitive? Why did he not pay a little bit more for a real professional setup?"

I just checked something else: I put in a new record in the collection and I changed the password of the private page. Then I published. Anybody who has opened the private page before and has not closed the browser, can acces the private page and read the new review without even having to put in the new password. Wow! That is insecure! Changing passwords on my end will only have effect if people have closed their browser.

I don't want to enforce anything on anybody. But builders and customers have different needs for security. So, I think it would be a great idea if there would be security levels that a Webflow customer can choose from. Like having to log in again after closing the window or tab; like log in again after a time-out, minutes of days; like log in again after a password has changed and at least blocking new information until the new password has been put in; and of course for the ones who don't have so much need for privacy: log in only after a browser has been closed.

Another consideration: I heard private pages and private websites are booming in a young generation, say age 20-30. Would be good to have options and being able to go along with a trend instead of having the chance of being looked at as old-school.


#7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.