Thread

Cohn Marketing,

Where are you at with this? At the moment I get a 403 forbidden when I try and access your site.
Can you do a step by step of what you have done to redirect guest access including code examples?

Initially I had the site locked down through an .htaccess IP block.

The boss-man requested that a splash page be put up in place of the .htaccess “Access Denied” page.

From there, with a bit of guidance from someone that has worked with EE in the past, we set (I believe) the template permissions for the default theme (shopstar/index) to deny the guest group. The alternate location for the guest group became splash/index

The next day, yesterday, boss-man asked that I allow guests back into the site. So that the real end-client is able to go through the account sign-up process. From here, I have gone back into the template permissions panel and set all files in all template groups to allow *everyone* to access them.

For some un-godly reason, I decided to forgo the .htaccess file manipulation in favor of an if (in_array(IP, GoodIPs)) block of code in the “site” (index.php) file. I am still struggling with EE concepts as I traditionally write my own content management systems.

Setting all the files to universally viewable by all groups produced the results you see now. So… I deleted the splash template group thinking that EE would default back to the shopstar/index template group and file. Nope, or at least it looks like a “Nope”. Seeing the blank page, I recreated the splash/index template in the hopes that I would regain control of the guest destination.

So here is what happens now. A set number of users like admins, super admins, etc are able to log into the back-end. From there they can go to the site URL of http://goshopstar.com/site and use it without any problem. They can even log-out and continue to surf the site. It is only when the browser session ends that they are kicked to the blank page. If they go back to the admin URL and log-in, access to the front-end is restored.

There really isn’t and code, per se, to pass over. I have removed the IP block from the .htaccess file and the in_array block from the site (index.php) file. As far as I can tell, everything is back to it’s original state with open permissions. It is full on mind-blowing for me. I wish I could see the state of each template file vs. the multi-select boxes that are attached to each group in the template permissions form. :(

If my memory is correct, that was my path to chaos.

BTW: Thank you, and the other EE responders for your help. I’ve worked with several different content management systems and the EE crew is by far the best I have encountered. It is a good system. Even in my novice state, I have been able to write a few custom modules for this site. Eventually I will get the hang of it.

Thank you again,
Trevor

Just in case, here is my .htaccess file.

# PREVENT PULIC ACCESS DURING DEVELOPMENT
# Order deny,allow
# Deny from all
# Allow from 255.255.255.255 (removed for security)

# INCREASE MEMORY LIMIT TO COMPLETE INSTALLATION OF OPENX ADSERVER
php_value memory_limit 128M

# REMOVE THE .php EXTENSION FROM EXPRESSION ENGINE ROOT INDEX FILE, WHICH HAS ALSO BEEN RENAMED FROM 'index.php' TO 'site'
<Files site>
ForceType application/x-httpd-php
</Files>

# USE THE RENAMED 'index.php' FILE AS THE DEFAULT INDEX FOR THE DOMAIN (OVERRIDDEN IN FOLLOWING SUBDIRECTORIES: adserver, shopstar-admin)
DirectoryIndex site

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# REDIRECT REQUESTS FOR www
RewriteCond %{HTTP_HOST} ^www.goshopstar.com [NC]
RewriteRule ^(.*)$ <a href="http://goshopstar.com/$1">http://goshopstar.com/$1</a> [L,R=301]
</IfModule>

# DISABLE DIRECTORY BROWSING
Options All -Indexes

As a side note, I can not get to /site/ for the life of me. I have a check in place to see if the REMOTE_ADDR is me. Presumably this would allow me debug the site in a trace-the-site-process manner to see where it breaks.

My Debug function (ip changed for security):

</pre>

At the top of the renamed index.php file, site, I have the following code (actual include file name replaced) :
require_once('someFileName.php');
trevorDebug($_SESSION, 'session');
trevorDebug($_COOKIE, 'cookie');
trevorDie();

I will try to step through the guest process. Hopefully I can find some sort of road block. I am simply out of ideas.
									

Cohn Marketing,

Ok I can reach your site via the root now.

What is your User Session Type set to?
CP Home ›  Admin ›  System Preferences ›  Security and Session Preferences

I would replace the contents of your renamed index file with its original contents for a start.

How I would have done it originally is when the boss-man said turn off access to the index template for guests is goto the the Template Access Restrictions for that particular template. Switch off access for guests and set the redirect to the specific landing page I had created for them. It is then just a matter of switching back when you are asked to.

99% sure it’s “fixed”

Yeah, I would have done the same now that I know that template permissions exists. I am actually the 4th or 5th developer on this project. Without knowing the EE system and nobody to ask, it was rather painful introduction. Thankfully we have found an 11th hour contractor to jump in and save my hide. 😊

So I know this is probably the worst mojo-approach ever: The idea behind the site is to play host to several different shopping locations (centers). Once a visitor selects a location, I need to track and adjust the site to that location. Adjustments include forwarding users onto the associated forums, location specific twitter feeds, co-branding, etc… I tried to use cookies but they were messy. I even tried to use a cookie plugin without success. So, I turned to a session based solution. I wasn’t able to pick out EE’s session handling capabilities so I had to make some assumptions. 1: Sessions were not going to get dumped at unknown intervals. 2: The session keys I set would remain valid.

The problem I was running into was this: Sessions end with the browser closing out. Knowing this I placed a back-up cookie. When the user re-visits the site, I first check to see if there is a valid session key. If not, I reference the cookie. If the cookie doesn’t exist either, I send the user to a generic site. It was in this last scenario that was killing the site. I’m not exactly sure why. Something about the way sessions were being initialized deeper into the site through the template system.

What I ended up doing was setting a bunk session state for the selected key at the top of the site, or index.php page.

if(!session_id()) {
    session_start();
    if(!isset($_SESSION['myLocation'])) {
     $_SESSION['myLocation'] = 'bunk';
    }
}

With each page-load I check the cookie and/or session state against a valid array of locations. If the value is good, then I preform the customization. If not, which includes “bunk”, a generic site is presented. The site (index.php) page is the only page that needed adjustments. Everything else runs through the template system.

Again, this may not have been the best approach but given my limited EE experience, it was the best solution I could come up with. I’ve had 3 weeks to learn EE and launch a rather complex site. 😊

So is everything OK now?