I have some concern that anyone can see confidential info on a class site by posing as a classmate. They could just select anyone that hasn't enrolled a profile yet & act like they were that person. I tried this (probably shouldn't have, but I wanted to know how it worked). I believe that even an invalid email address could be used by anyone to establish a (ficticious) profile & thereby see anything that our trusting classmates post. Maybe you'll have other ideas, Brad, but one partial solution could be a system generated password that would be sent to the email address for validation. Then the user could change the password to their own. The negative is that it could discourage classmates from following through with enrollment. Also, I wondered about the status of getting back bounced emails for invalid addresses. 'Just some thoughts.

Maybe you could ask a question on the profile generator that only a classmate would know and is not available on the internet? "For security purposes please name 2 teachers you had in high school" If they get the answer wrong, you could email them and verify another way. Just an idea. I don't think there is any way the class creator designers can otherwise verify someone is who they say they are.

What you are referring to is known as "hijacking." Just search these forums for the term hijacking and you'll see how many times this has come up before.

The reason confirming an email address will not work is because anyone can create a free gmail or hotmail email address in about 2 seconds, totally bypassing the security feature.

Fortunately hijacking is rare, so this entire time we've simply told Administrators to password protect their Classmate Profiles page if this becomes an issue on the site. That alone will stop a hijacker from assuming the identity of a Classmate.

But better still, we have a new Preferences feature coming out that will totally stop hijackers from doing anything on your site at all until their identify has been authenticated. And since you're obviously not going to authenticate a hijacker, that person is powerless to do anything on your site, contact other Classamtes, get into private areas of the site, etc. Dave is working hard on the new Preferences are right now that will stop hijackers in their tracks, and we're expecting a launch shortly after Christmas. Check it out in this thread.

Brad,

I have noticed that anyone can access the home page of our websites. This is certainly necessary so those looking for their website can view and contact for enrollment. Is there anything we can do to prevent accessing any of the links on the website, i.e. classmate profiles? I am thinking about setting up a site for our HOA and the idea that someone could click a link and see everyone's address and name would make homeowners hesitate to enroll in the site, me included. This would also eliminate anyone from setting up a fictitious profile under another person’s name because they wouldn't have access.

Your thoughts and help are always appreciated!

Gini Morgan

Why not simply password protect those pages? That way only members of your web site can get in. Password protecting those pages will not only block them from viewing by the general public, it will also stop search engine spiders from indexing that content.

Brad Switzer wrote:

Is the edit pages option where you would password protect? Is there anyway to protect even the home page?

Sure, in that same area just put a checkbox in the password column next to your home page. Can't recommend doing that, as it will make it incredibly difficult for new Classmates to join your site. But you do indeed have the option.