A video has been published here on YouTube that walks you through the complete process of creating a password protected website in RapidWeaver with Sentry.

Sentry offers an average degree of security, in that you can set a long and complex password of up-to 4000 bytes. You hide this password from being viewed in the page source code. However it will not encrypt passwords or content. Neither will it protect against a brute-force attack. So you definitely do not want to be using this stack to store highly sensitive information (like payroll data, private emails, address books or credit card details) on a website.

Potential uses of Sentry could include hiding a webpage until it has finished being built, creating a little "members only" sub-section on your website, added protection to limit audio or video files being ripped, restricting the display of content (like instructions, promotional material or pricing tables) to certain customers, making course material available to students for home learning, listing exclusive content for people using crowd funding services like Patreon, or providing an area for people to upload files with a stack like Droplet. Basically this stack is good to use wherever you want a bit more added privacy on a webpage.

A particularly nice feature about Sentry is that logins are handled using tracking cookies, rather than anonymous sessions. Despite cookies sometimes getting a bad reputation, in our instance, they provide us with a far greater degree of user management. As a couple examples, we can use tracking cookies to...

  • Control more precisely how long the user is logged-in for. Specify minutes, days, weeks or even years.
  • Create different 'levels' of user access across a wider website. Each Sentry stack supports multiple passwords.
  • Automatically log-out idle users. Good to protect against people leaving browser windows open for long periods of time.
  • Use tracking cookies with other powerful stacks like Droplet, Indexer, CookieManager or MiniCookie.
  • Conditionally hide or show singular blocks of content on individual webpages, rather than the entire webpage.

If your website uses SSL (so the website address starts https://) there is a checkbox option to use secure cookies, on the login form. This adds another level of security and means the cookie is only ever sent over SSL connections (it is not available in parts of the website that are not secure).

The box for entering a password is presented to the user as a conventional password input, with the option to toggle to a text input. We purposefully do not provide inputs like separate number boxes for passcodes, because accessibility experts highlight the serious problems this can burden users with.

The completed login form is compatible with keychain software like 1Password, Lastpass and Bitwarden; allowing users to save passwords and have them automatically re-entered on future visits.

Example

A secret webpage has been published here. The only way to view its content is to login via Sentry. If you go to the secret page and you are not logged-in, then you get redirected back here. Use this login form:
login-form
Sorry, the password you entered was incorrect. Please try again.
If you are having continued difficulty with logging-in, please get in touch with our customer support team, who will be pleased to assist your further.
You are not permitted to view this webpage.
Please login below.
You were automatically logged out, after 1 minute of inactivity.
Please login again below, if you want to continue your session.
You are now logged out. Thank you for using Sentry!
Thanks, you are now logged in!
Try accessing some of the protected pages or content.
Please Login...

The password for this test is: letmein
After you login above (the password is letmein), you are redirected to the secret page. You should now be able to view its content.

As a test, try entering a wrong password. This makes a custom error message appear using the free QueryDisplay stack. We use the QueryDisplay stack, to display a couple of other example messages, for different actions or events, like logging out. These messages make the password system more intuitive.

After you login, if you check the Storage tab in your web browser developer tools, you should see a new cookie listed there marked sentry_login with the password showing as a value. This is the little tracking cookie that Sentry uses to check if you have permission to view a webpage or not.

On our secret page, you will also see a 'log out' button. This works to delete the tracking cookie and send the user back to the login page.

There is also an "idle logout" setup on the secret page. After the page has loaded, if you don't make any interaction with the page for more than 1 minute, you are automatically logged-out and returned back to the login form.

Setup

Essentially there are two parts for setting up password protection using Sentry:

1. Creating a login form
This is needed, so people can login. A login form can either be added on an existing webpage (like your homepage) or you could create a new webpage to place the login form on. Don't place the login form on webpages themselves requiring full password protection. Add a Sentry stack on the page and set its Configuration Type to Login Form. Then fill-in the fields for the password. Cookie settings can be changed if required. You have a wide choice of settings to customise both the style and behaviour of the login form, and make it look like an integral part of your website. After the user has logged in, you can redirect them somewhere; like to the webpage you want to protect or back to a homepage.

2. Protecting a webpage
Add a single Sentry stack to the webpage you want to protect. In the Configuration Type, set the configuration to Protect This Webpage. Obviously for people who are not logged-in, we need to show them the login form. Therefore use the stack settings to set the link to your login form.

Other setup notes:
  • All webpages you place Sentry on require a .php file extension, instead of a .html one. Sentry will attempt to change this for you. This may require that you login to your hosting account via FTP or your file manager, to delete the older .html webpages.
  • If you set the Sentry Configuration Type to Logout Button, you can generate a button to delete the tracking cookie and log a user out. You are free to place a logout button on any webpages.
  • A Sentry stack with its configuration set to Idle Logout can be added to any webpage. This smart feature gives you the ability to logout "idle" users automatically - in a similar way to how some banking websites (e.g. PayPal) work. For example, if the user does not move their mouse or tap their keyboard for 5 minutes, they can be automatically logged-out.
  • The Conditional Display configuration works to stop sections of a webpage from being loaded, if the user is not logged in. As an example, you could place video or pricing table stacks inside this area, which will only be loaded if the user is logged in. Any basic stacks can be used within a conditional display.
  • All settings have little informational tooltips, when you mouseover them. These can help you understand what the different settings do and might display important notes.
  • You can configure a Sentry stack as a Partial. This makes setup quicker, in instances where you want to protect multiple webpages with the same password.
  • Assets or resources used in a protected webpage (like PDF files, video, images, audio and file downloads) are not protected. It may be advisable to use longer, hard-to-guess links for these. You may wish to update your SEO preferences to request search bots and spiders should not attempt to crawl protected pages or index items like images.
  • In the Advanced Settings (and with the Sentry configuration set to Login Form), incorrect login attempts via the login form can be logged. These logs are stored on the hosting server and contain the date, time, failed password, IP address and user agent. Potentially these logs can grow very large and could be accessed from other sources. So they are mostly intended to be enabled temporarily to assist with development or troubleshooting login problems. Disable logging if it's not needed.
  • It's strongly recommended that any website you use Sentry on has an SSL security certificate. This improves the security of your website and also ensures website users don't get nagged with popups about entering passwords in non-secure forms. If your web server (e.g. MAMP) does not use SSL, you will need to disable the option for secure cookies temporarily while testing this stack (otherwise the cookie will not be created).

Query strings

These are extra parameters or anchors appended onto URLs, when a redirect happens. For example, if a user pressed a logout button, we could attach a query string of ?loginstatus=loggedout to the address bar. Or if an idle user was automatically logged-out, we could similarly use a query string of ?loginstatus=timedout on the URL. If we need the browser to redirect to a specific part of the webpage (like the login form) we can similarly use anchors like #loginform on the address.

Query strings on the address bar might look something like this:

https://example.com/login/?loginstatus=loggedout

https://example.com/login/?loginstatus=timedout

https://example.com/login/#loginform

We could then utilise a free stack like QueryDisplay for displaying some information to these users. This can make the whole process more intuitive. For logged-out users we could display a message along the lines of "thank you, you are now logged out". And for idle users, a similar message of "We logged you out automatically, because you were inactive for 5 minutes" could be displayed. Both messages could be placed as headings above the login form. it is possible to combine both a query string and anchor like this:

https://example.com/login/?loginstatus=loggedout#logout

The beauty of this system is you could create a highly sophisticated setup of query strings and messages; to the extent of being able to customise the messages depending on which webpage the user was referred from and their login status.

Handling incorrect logins

Sentry does not include a message for failed login attempts. The default behaviour is to reload the login webpage. To display a message that the user has entered an incorrect or invalid password, enable the Action Incorrect Logins checkbox setting. Then set the redirect link (for failed logins) back to the current login page. Use a query string of something like ?loginstatus=incorrect and combine this with our free QueryDisplay stack. Place the message, support information or help contact links you want shown in the QueryDisplay stack.

Using Sentry to password protect multiple webpages

The easiest solution is to create your dedicated login webpage in the normal way. Set it as a redirect to the webpage users would commonly come through, like a homepage or landing page.

On every page you want password protected, simply add one Sentry stack configured to Protect This Webpage. Set this Sentry stack as a link back to your login webpage, for the benefit of users who are not logged in. If you make your Sentry stack a Partial, you can quickly add the same stack on all the pages you want protected. Redirect links to the login webpage are automatically updated to reflect the address of each protect page.

Can I setup more than one password?

Yes, you absolutely can! For the login form, conditional display or page protection configurations, simply enter two or more passwords in the Passwords box. Separate each password with a single space. There is no requirement to put each password inside quote marks or separate them with commas. A single space works fine for each password. Sentry has some smart code that automatically converts a space-separated list of passwords into an array. When a website user arrives at a protected page, Sentry will first look for the presence of a sentry_password tracking cookie. If the cookie is found, then Sentry compares the cookie value with the list of passwords you supply. This system means that even if a person can fake the creation of a new sentry_password tracking cookie in their web browser, the value of the cookie is still tested against and has to be an absolute match.

For logout buttons or idle logouts, we simply delete the entire tracking cookie, irregardless of what password is assigned to it. This helps keep things simple and ensures the same logout button or idle logout can be used for multiple passwords.