New Topic Subscription Options |
Secure HTTPS code CC code problem
Forums: General Discussion | |||
|
|||
Participant: Log in to see names |
Monday, November 25, 2019 at 12:08 AM
This TOPIC discusses a method to make your site secure. It works, however, CC needs to make some modifications to cookie storage. I ran into a problem that only CC can fix. Cookie login is not passed onto secure site URL. Admins have a special cookie for https://classcreator.com + sitename. This stores your login data. When the script switches to https it uses the "https" cookie vs the original site cookie to keep you logged in. An admin creates that cookie when they do special stuff, such as Edit Site pages Shocked Your regular users do not have the https cookie. So they can never log in all the way. I did not notice this until I cleared all the cookie data for another idea. That's when it got stuck in a "loop" of sorts. A login where the script ran would not stay logged in. Not too cool. If CC fixes this, then everything works. Otherwise, not so much.
|
||
|
|||
Participant: Log in to see names |
Monday, November 25, 2019 at 1:22 PM - Response #1
Thanks for this update, Jack. Would appreciate feedback from CC tech support (forget the wording about certain portions are secure). My classmates continue to be cautious and some will not log on to an insecure website. We’re publicizing an upcoming Reunion. It’s critical our site is NOT listed as insecure. Thank you.
|
||
|
|||
Participant: Log in to see names |
Monday, November 25, 2019 at 2:03 PM - Response #2
So close and so far away I agree that although some areas are "secure" it doesn't help the basic problem at all. Classmates think it is Not Secure. Here is my post about a BUG on a similar issue that is related. Login is not secure for RD users. PS - at least I verified that all the pages work fine if the CC website name is used. The cookie used is the issue. Admins happen to have that set if they use any of the special https options. That would go away if the https name was used at the very beginning.
|
||
|
|||
Participant: Log in to see names |
Monday, December 16, 2019 at 3:45 PM - Response #3
None of these replies make any sense to me. "RD users"?.."CC website"?.. "special cookie"?.. I need my site to be https!!!
|
||
|
|||
Participant: Log in to see names |
Monday, December 16, 2019 at 10:50 PM - Response #4
RD = Responsive Design, a basic layout choice in Change Design. Yours is the "Classic" old original fixed layout. RD is more flexible and adapts to modern mobile devices better. CC = ClassCreator Cookie = The tiny bit of information stored by CC when you are logged in as a "user". No cookie, no see. Admins have a special extra cookie. Cookies are organized by URL (Universal Resource Locator - also known as the domain name or web address). So when you "log in" the URL is temporarily HTTPS but then goes back to YOUR domain name and thus the cookie changes. I wonder if CC can make it so you just go to the raw CC URL (that is NOT your domain name)? If that were done, I can make your site HTTPS instantly with no other changes. This is what your site started as before you bought a "domain name". ALL the links that CC creates have to be the same as if you had no domain name at all. The domain name is not really looked at once a classmate arrives at a site. They could care less. The request: Can we "undo" this linkage on request OR enable the cookie storage same as admins? Ask them since it's duck simple to make sites HTTPS. I've done it! Admins actually have this ability already. That's what mislead me for a bit when I had it all working - then when I cleared all the cookies and started over is when I noticed the issue. UGH. So the funny thing is that "free" sites can be HTTPS but sites that pay can not be HTTPS at this time.
|
||
|
|||
Participant: Log in to see names |
Tuesday, December 17, 2019 at 3:31 AM - Response #5
Jack, if the raw CC URL differs from what I now see, then I disagree with "The domain name is not really looked at once a classmate arrives at a site. They could care less." I often copy the URL of a page and paste it in a comment on Facebook. It's important to me to have my website name seen (which is now part of the URL), instead of the raw CC URL, which would be different, if I'm understanding you correctly.
|
||
|
|||
Participant: Log in to see names |
Tuesday, December 17, 2019 at 11:43 AM - Response #6
I agree some do, but the vast number of articles on www switch url names. FB is a prime example. The real question: is that more important than HTTPS? What I described is EASY for CC to give as an Option. If CC just lets you pick the landing, I have the rest solved
|
||
|
|||
Participant: Log in to see names |
Tuesday, December 17, 2019 at 11:46 AM - Response #7
BTW, your class name is in the "raw" url. Go to edit any page and you can see.
|
||
|
|||
Participant: Log in to see names |
Tuesday, December 17, 2019 at 1:26 PM - Response #8
And this is your "raw" URL. Notice that I found it with HTTPS - I did not add the "S". [Not that it matters, but instead of searching for it, I could have just "signed in" and it automatically goes to that URL. IOW, it already "switches".] https://www.classcreator.com/East-Longmeadow-MA-1970 ours is https://www.classcreator.com/Bothell-WA-Bothell-Senior-1961 Those https URL names actually is what got me to arrive at the solution presented. To my eyes, the class is clearly identified if someone looked at the URL.
|
||
|
|||
Participant: Log in to see names |
Wednesday, December 18, 2019 at 11:38 AM - Response #9
Jack, thanks for your explanation. When I copy and paste a page's URL to Facebook, I copy the page URL, not the one on the edit page. So, if I wish to post the Life Tribute on John McGrady, the URL is http://www.eastlongmeadowhighschool1970.com/class_profile.cfm?member_id=2024673. If I used the edit page URL, it would be https://www.classcreator.com/East-Longmeadow-MA-1970/class_admin_inmemory_form.cfm?member_id=2024673&whattodo=Edit. I don't particularly care if there's an https or http at the beginning, as all our site pages are unlocked by design except classmate profiles, which are locked or unlocked by the classmate. For Facebook posts, I do care that our full class site name is seen at the beginning of the URL.
|
||
|
|||
Participant: Log in to see names |
Wednesday, December 18, 2019 at 1:57 PM - Response #10
Remember, this is an OPTIONAL choice - if CC fixes the cookie issue then one could just install the script I made and all done (as I noted, it actually works if one is an admin). The other "fix" (by choice) is for CC to land on the "raw" URL, not the domain - just like a "free" site - and then use a simpler version of same script (if CC does not change to https at the same time). So you could have a domain for links (either solution) and be "secure". If one is happy with the way things are, don't do anything My suggestion always referred to this as a choice. The topic is that many want sites to be HTTPS because of security concerns (real or not) expressed by classmates. I'm just describing relatively easy ways to accomplish this goal since CC has not made any progress for over a YEAR. Next describes how FB works. You can see that FB makes it very clear where posts come from - for those that care. FB resident urls/images do NOT actually have the page name as such. FB is sort of like a mini-domain system. You get the FB page link and it decodes to the actual FB page. In addition, it shows users a description of the origin. Links on FB from external sites do the same thing. News feeds from outside sources are common examples. For CC sites, they decode and actually show the class name as defined in the "meta" data. IOW that has nothing to do with the "domain name". Makes it pretty clear where the post came from. Try it - Make a FB post using the class https raw name. You'll see what it does. Where does it get that data? From your meta data! You don't even have to actually post, preview shows instantly how it decodes. Pretty clear to anyone where the link is from. This what FB shows for https://www.classcreator.com/East-Longmeadow-MA-1970 The first line is there because CC changes that link. However, all the following lines come from the Meta Data on your site, word for word. FREE sites are a perfect example of how the meta data is used. The difference is that the first line shows classcreator.com but the next lines are exactly the same - the site description created by admin. eastlongmeadowhighschool1970.com
|
||
|
|||
Participant: Log in to see names |
Wednesday, December 18, 2019 at 4:58 PM - Response #11
I forgot to explain that https is not related with whether site pages are locked or not. It has to do with Secure Transmission of data. Technically it is possible for a "hacker" to get into your data stream with an http only link because they can literally see the data stream. That's why the login pages are now https. Before it was possible to get the username and pw just by looking at the stream (which anyone can do). HTTPS It provides encrypted and secure identification of a network server. Encrypted means that the data is scrambled with a "key". Think of WWII Enigma codes. HTTP There is no privacy as anyone can see content. Pretty much like listening in to the old time party line phone. So for example if you were browsing on a public network, anyone can intercept and "see" your http data. They can't do the same with https. And that is why people want HTTPS.
|
||
|
New Topic |
Subscription Options: Have all new forum posts sent directly to your email. |
Subscription options are available after you log in. |