To register PlusKit enter the page settings (shift-cmd-i) for the pluskit page and click on the 'wrench' icon -- In that tab you should see a place to enter the registration code.

With the exception of .MAC Lockdown works on almost every web host. Occasionally there are a few hosts that have problem.

before you buy lockdown please do two things:

• First check your web site for compatibility using my handy test tool here.
• If it passes the test above download a version and try it. The only limitation of Lockdown without a registration code is you can't save your work to a Rapidweaver file.

To try it first download, install it and create a simple web page with only a lockdown page.

Publish the page but don't save it (Rapidweaver will ask to save it, just say no) and then visit it. If it says that Lockdown worked and you get the username/password prompt then you are good to go!

If it asks you to try the alternate instructions then try those and verify it works (again, don't try to save your Rapidweaver file).

All loghound.com plugins work on RapidWeaver version 3.2 and 3.5.

If you are having a problem running a plugin under 3.5 here are a few troubleshooting tips.

1) Verify that you have the latest version of plugins. You can get the newest version via the "Change Log" for each plugin
2) Make sure you COMPLETELY remove the old plugin first by moving it to the trash (via the finder) You can follow the instructions for 'installation' for each of the plugins
3) Make sure RapidWeaver is called "RapidWeaver", there can be problems if it's called something like "RapidWeaver 3.5"
4) If you still have problems bring up Console.app and then run RapidWeaver to see what kind's of messages are put out.

No. The technology that Lockdown uses doesn't have a 'logout' feature. The only way to force it is to quite the browser.

If you try lockdown and you get a password prompt on your webpage but the password is never recognized there are a few things to check.

1. Do the 'obvious' stuff. Confirm the password, make sure caps lock isn't on, etc.
2. If that doesn't help you may have a problem with the encryption type used. See the MD5 vs. CRYPT entry in the FAQ.

If you didn't use the 'alternate' technique to create the lockdown page you can remove it by simply unselecting 'password protect this page' and republish.

If, however, you had to use the alternate approach *OR* you already removed the lockdown page you have to manually remove the password protect. Fortunately this is easy.

1. Use a program like transmit and log into your server. Navigate to where the lockdown page was

2. Turn on 'show invisible files' from the view menu

3. You should see a file called .htaccess -- Delete this file and it should stop asking for passwords.

If you get a lot of undefined errors like this

Notice: Undefined variable: HTTP_REFERER in (some path) on line 186
Notice: Undefined index: SCRIPT_URI in (some path)on line 187

The likely cause is your web host has set default PHP warning level too high. To fix it put the following in the 'page prefix' section of the page

<?PHP
error_reporting(E_ERROR);
?>

How to Configure Lockdown with Personal Web Sharing

AKA How to get it to work with your Mac's built in web server

Mac OSX comes built in with the worlds best web server (Apache) but by default it does allow a user to enable passwords on a per-directory basis. This feature is called 'AllowOverride' and by default it's turned off so Lockdown doesn't work.

Fortunately the solution to fix it to allow Lockdown is quite easy but does require you are comfortable with editing config files.

You need to use a tool that can open 'private' files, in this example I use TextWrangler because It's free and I love it. If you are a Unix Hacker you can jump to the very bottom of this page to see how to modify this from the command line which is less steps and arguably easier but requires you know vi.



Open the file (it will be in one of the two locations depending on which version of OSX you are running)

/private/etc/httpd/users/[username].conf

or

/etc/apache2/users/[username].conf


Where [username] is your 'short' username. In my case it's 'johnmcl'. Because this is a so-called private file you have to either open it from a terminal window using a command line tool such as 'vi' or use a special feature of TextWrangeler called 'Open file by Name'



In my case I typed in

/private/etc/httpd/users/johnmcl.conf



The file looks like this


<Directory "/Users/johnmcl/Sites/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>




Now I want to change the 'None' to 'All' and TextWranger warns me.




Clicking yes, I modify the file to AllowOverride


<Directory "/Users/johnmcl/Sites/">
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>



And save the file... TextWrangler needs to verify I can modify this password







No problem.. I type in my password and save... The only thing left to do is to restart the web server to have the new settings take effect.

Go to System Preferences -> Sharing





Highlite "Personal Web Sharing" and click 'stop', give it a second to stop



And then click 'Start' to restart it... That's it! Lockdown should not be enabled!

Command Line

If you prefer you can also do this from the command line. Assuming you are logged in as the user who you want to enable LockDown at the command prompt type

sudo vi /private/etc/httpd/users/$USER.conf

Give it the password, and modify the 'AllowOverride' to 'All' from None, save it, restart Apache and you are finished!

If you go to a lockdown page and get HTML like this:



Then odds are your web host does not support PHP. While most hosts do some do not on their lowest cost plans.

Unfortunately lockdown requires PHP, you might contact your web host support team to find out if they can enable PHP for you.

You will find that a lockdown page will only ask for a password once. This is because the browser 'remembers' the password and automatically gives it to the lockdown page.

You can test this by completely exiting the browser (or running a different browser such as opera or firefox) -- you'll see it ask for the password again.

Double check your location -- So far in 100% of cases the person thought it was in the right folder but it wasn't. Remember you have to put the .htaccess in the exact same folder as the lockdown page.

I've put together a small screencast that shows how to do the alternate config. you can watch it by clicking here

The short answer is yes, it's possible for them to look at each others information. A single lockdown page protects all of the content that is 'nested' beneath it. You can minimize this by hiding the pages from the sidebar and using unusual foldernames but it's still possible for them to directly navigate to each others lockdown pages.

If you really want to have a single login page but each person to have a unique, protected, site you need one main lockdown page that just redirect people to a 2nd lockdown page that is unique to them. Unfortunately this will require they 'log in' twice.

Starting with Version 1.5 of Lockdown you can now 'Expire' Passwords. This is useful if, say, you want to grant access to someone for a few days and don't want the system to automatically disable access.

To use it simply type in the expiration date next to the password. you can also use things like "Next week" or "In 3 days" (of course you can also simply type a date in)


once a user 'expires' the field grays out to tell you they are no longer have access. At this point you can ignore them, delete them or re-enable the account by putting a new expire date. The default of ignoring them has the same effect of removing them. They no longer have access to the site.


Please not that this feature is different than account time outs you may have seen on sites like Amazon.com (which automatically log you out after a preset amount of time with no activity).

Limitations in Removing users

the default behavior is 'Never Expire' but you can optionally  give a date after which the account would nominally not work.

Unfortunately there are so many different ways web hosts configure their servers that it will work different ways for different people.

For everyone everytime you 'publish' out of RW if the 'expiration date'  has been exceeded that user will no longer be authorized (it'll still show in the list but be grayed out) and their account will be removed from the  web site.

For some (many) people I will be able to remove them *without* republishing (on the fly)  sometime after the expiration date.. It'll depend on someone (anyone) visiting the lockdown page which will trigger the removal of expired users.

For some folks (anyone who has to use the 'alternate configuration method') I am not able to turn off account access on the fly, I will be able to stop them from seeing the content on the actual lockdown page but that person could still be able to jump to a nested page (until you republished the site at which point they would be locked out)

The key message is that it will work fine if you are willing to live with the 'expiration' date as a 'do not shut them off sooner than this date but it's-ok-if-they-have-access-beyond-that-for-a-bit' where the 'a bit' is defined by how often you republish your RW site, how active people visit it and how often the lockdown page is visited.

Releases of Lockdown prior to 1.65U had a problem with Authorization redirects (also known as 401 redirects)

You see 401 redirects require that the redirect page be an absolute path on the server (such as '/pages/error.html) while the other error pages allow full URL's (such as http://www.google.com)

See here for a write up of this but the short answer is I now specifically disallow external URL's and format the internal (e.g. within RW) urls as absolute paths.

There is one odd side effect that I don't completely understand. If you go to a document with a password and hit 'cancel' it keeps on asking you. If you hit cancel enough times it eventually directs you to the error page *minus* the CSS, javascript, themes, etc.

If anyone understands why let me know. I've been scratching my head over it and don't have a good answer yet.

In the meantime if you have this problem the easy solution is to use a HTML page without a theme (you can turn the theme off for HTML pages) and have a simple document saying with a URL link back to the main web page.

Starting with lockdown 1.68 the option was added to the setup menu to select two types of encryptions. MD5 or CRYPT.

What happens is the passwords are stored on the server encrypted -- Previously Lockdown used MD5 style encryption which is very strong and allows for long passwords. However some servers don't support MD5. In that case you can select CRYPT.

The only thing to be aware of is that using CRYPT requires the password is < 8 characters. Anything over 8 characters is ignored so if you have a password of "goatcheesesteak" and "goatcheesesandwich" they would both appear to be the same password to CRYPT where MD5 would recognize them as being different.

In general I recommend MD5. If that works you are done. If, however, you have problems with passwords not being recognized you may want to try CRYPT to see if it fixes the problem.