I have a site i am working on that i would like to display only to a few others for now. Is there anything wrong with setting up windows user names and using windows auth to prompt the user before getting into the development site?
+1
A:
I do this frequently. I use Hamachi to allow them to access my dev box so they can see whats going on. they have access to it when they want , and/or when I allow. When they are done I evict them from my Hamachi network and change the password.
Hamachi is a software VPN. Heres a link to Hamachi - AKA LogMeIn
They have a free version which works quite well.
William T Wild
2009-02-21 23:09:33
+2
A:
That depends on what you mean by "best": for example, do you mean "easiest" or "most secure"?
The best way might be to have it on a private network, which you attach to via VPN.
ChrisW
2009-02-21 23:10:31
+5
A:
There are several ways, with varying degrees of security:
- Don't put it on the internet - put it on a private network, and use a VPN to access it
- Restrict access with HTTP authentication (as you suggest). The downside to this is it can interfere with the actual site, if you are using HTTP auth, or some other type of authentication as part of the application.
- Restrict access based on remote IP. Just allow the IPs of users you want to be able to access it.
- Use a custom hostname. Have it on a public IP, but don't publish the hostname. This means make an entry in your HOSTS file (or configure your own DNS server, if possible) so that "blah.mysite.com" goes to the site, but that is not available on the internet. Obviously you'd only make the site accessible when using that hostname (and not the IP).
gregmac
2009-02-21 23:16:49
+1
A:
Of course, there's nothing wrong with Windows auth. There are couple of (not too big) drawbacks, though:
- your website auth scheme is different from the final product.
- you are giving them more access to the box they really need.
- you automatically reimaging the machine and redeploying the website is more complex, as you have to automate the windows account creation.
I would suggest two alternatives:
- to do whatever auth you plan on doing in the final website and make sure all pager require auth
- do a token cookie based auth - send them a link that sets a particular token in a cookie and in your website code add quick check for that token before you even go to the regular user auth
Franci Penov
2009-02-21 23:17:27
+1
A:
If you aren't married to IIS, and you need developers to be able to change the content, I would consider Apache + SSL + WebDav (aka Web Folders). This will allow you to offer a secure sandbox where developers can change and view the content without having user accounts on the server.
This setup requires some knowledge of Apache so it only makes sense if you are already using Apache or if you frequently need to provide outsiders access to your web server.
First useful link I found on the topic: http://pascal.thivent.name/2007/08/howto-setup-apache-224-webdav-under.html
Mark Porter
2009-02-21 23:52:58
A:
Why don't you just set up an NTFS user and assign it to the website (and remove anonymous access)
Andrew Bullock
2009-02-22 00:47:43