Welcome to the strongbox wiki!
When people try to login to your site, Strongbox will do one of several things, depending on several factors that Strongbox analyzes. Strongbox can:
- approve the login and let them in
- deny the login and record the reason for denial
- deny the login and suspend the IP address or user name for up to 3 hours
- deny the login and disable the user name permanently.
- Strongbox will send notification emails to you when it notices some types of unusual activity.
Session IDs in URL
When you login to your site, you may notice that the members’ area URL no longer shows as yourSite.com/members/, but rather as something like sb9fjsa7th3o.yourSite.com/members/. The hostname portion of the address contains what we call a “newton”. It’s used like a cookie, but it’s not a cookie, so it’s a newton :~) The newton contains the Strongbox session ID which always starts with the letters “sb”. This is the reason you can’t use fully qualified URLs in links within your members area. If the link took them to “yourSite.com”, they would lose their newton and not be able to access the site. In order to access your site, the user’s session ID from the newton must be a valid ID, it must not have expired, and it must match their system fingerprint. In order to avoid having people share their session ID, Strongbox records a system fingerprint when they login which includes their OS version, browser version, whether or not they have Word or Excel installed, and other such information.
Learn more at Newtons: in-url session IDs
REPORTS AND MEMBER MANAGEMENT
Admin users can access the reporting module at: yourSite.com/sblogin/report/
CUSTOMIZING THE LOGIN AND DENIED PAGES
The login page and the page shown when a log in attempt is denied are both plain HTML files that you can edit with any text editor to better suit the look of your site. We don’t suggest using a WYSIWYG such as FrontPage because as these programs are designed primarily for home use on hobby web sites they may make changes to your pages which aren’t desired on a professional site. Dreamweaver also has a tendency to break any page which includes a form. The login page is sblogin/login.shtml and the denied page is sblogin/badlogin.shtml (or in some cases, login.php and badlogin.php). There is no requirement for you to make any changes to these pages at all.
Strongbox has a couple of features that help to avoid “ripping” or “slurping”, where someone will use automated software to spider your protected members’ area, downloading everything they can in one night. One built in feature which is already active is that Strongbox will only allow them to download your protected pages and other protected media using the same browser that they logged in with. They are not allowed to login using Firefox, for example, and then use some ripping software to start downloading all of your images and videos. (Most download managers that activate when a specific link is clicked in the browser are supported, however.)
Additionally, Strongbox includes a simple “anti-slurp” CGI script which detects attempts to automatically download a large amount of your content by spidering your members’ pages. When such automated ripping software is detected the user’s session is ended and they cannot download any more without manually logging in through the download page. This script works from hidden links you can place in your pages which will only be hit by site rippers. To use this anti-slurp script, you need to cut and paste this code into some of your pages:
Paste that into the html of your main members’ page and some of your galleries, near the top of the file. If your site html is generated by a script, you may be able to paste the above html into the header used by the script to generate all pages.
TURING TEST (CAPTCHA)
The login page has fields for not only the user name and password, but also for the “secret word”, shown in a turing image on the login form. This feature helps protect against automated “dictionary” or “brute force” attacks, where thousands of user name and password combinations are attempted. Because the cracker’s software cannot tell what word is shown in the image, such login attempts will never be approved and your site is essentially immune to such attacks. Only an actual human reading the word each time and typing it in correctly can be granted access, or at least that’s what cracker’s think.
HANDOFF FOR SECURE LINKS BETWEEN SITES
If you have more than one Strongbox protected site you can use the Strongbox handoff function to link the members’ area of one site to the members’ area of another in a cryptographically secure fashion. Read more at: https://github.com/comglobalit/strongbox/wiki/Single-Sign-On-(SSO)-with-Strongbox-Handoff
Also, when logging in you may also notice a delay of about 1-3 seconds before Strongbox authorizes you. This is a normal (and intentional) part of the Strongbox login process. The delay is part of a strategy that strongbox uses to really ruin an attackers day.
TURNING STRONGBOX OFF
Should you ever wish to temporarily disable Strongbox for any reason, simply rename
.htaccess_sb and rename
.htaccess. Your site will then use the old pop up gray box again. Renaming the files back again will turn Strongbox back on.
logout.php under your member’s area, usually