Making some pages only viewable by selected users.

You can define, on a page by page basis, what the requirements are for access, and what should happen if an unauthorized user tries to access a restricted page. Three special comments, which you should embed somewhere in the first 32K of your page, are used to control access to the page:-

• <!--SecurityDLL=dllname-->
  
  • This comment specifies the name of the DLL (don't specify the extension) that InfoCourier will attempt to find to determine if the user has access to this page. If the DLL cannot be found on the user's system then the user is denied access. If this comment is not included on a page then access to the page is unrestricted. Building the DLL is very simple and requires no programming knowledge, just the completion of a couple of dialog boxes. The process is described below.
• <!--SecurityLevel=nnnnnnnn-->
  
  • You can specify a particular Security Level for a page (up to 8 numerics), and this will be checked against the security code which you specify when you build the DLL. This comment is optional and assumes a default of 0 if not coded. Access will be permitted if the Security Level specified on the page is not greater than the Security Level in the DLL. This could for example permit you to produce a single distributable for your organization that had information intended for viewing only by employees with the required seniority level, or perhaps different levels of subscription to an electronic magazine. You need to think about this method carefully though - you are committing yourself to multiple DLLs with the same name but different contents, and that could be very difficult to manage. It may be better to have different pages requiring DLLs with different names, and for example more privileged users having multiple DLLs.
• <!--SecurityAlternate=url-->
  
  • This comment specifies the name of a page that should be displayed if access is denied to this page. This is also optional, and if you don't include it the user will get a simple message stating that he doesn't have access to the page.

You give people access to your protected pages by supplying them with a DLL that you can create very simply yourself from within the InfoCourier compiler. The sequence is as follows:-

1. Select the Utilities/Create Security DLL menu command.
2. In the resultant dialog box specify the security level you wish the DLL to contain.
3. In the subsequent standard "file save" dialog box, specify the name you want for the DLL (should match the SecurityDLL= comment above).

You can then distribute this DLL to people you wish to access the appropriate pages. This DLL will of course work for all future distributables you create with the same page security specifications, so you could for example permit a subscriber to access a monthly "electronic magazine" by download from an FTP site until say the December issue. In the January issue you would change the DLL name, and the user would no longer have access unless he resubscribed.

One obvious question is what would happen if someone else chooses to distribute a DLL with the same name as yours? InfoCourier uses the standard Windows DLL search sequence to try to locate the security DLL, basically :-

1. The current directory.
2. The Windows directory (the directory containing WIN.COM).
3. The Windows system directory (the directory containing such system files as GDI.EXE).
4. The directory containing the InfoCourier executable file.
5. The directories listed in the PATH environment variable.
6. The list of directories mapped in a network.

If your executable locates a DLL with the correct name, but it was produced by a copy of InfoCourier other than your licensed copy then no access will be given. Of course you would be well advised to choose a naming strategy that is unlikely to cause clashes with others. Also note that a DLL you create with the evaluation version of InfoCourier will not be compatible with distributables you create from a licensed copy. You can experiment with DLLs created by the evaluation version with distributables also created by the evaluation version.

If you want to experiment to see what happens, try this jump to a secured page. While in design mode in InfoCourier you will be able to access it, but when you compile this into a distributable you will not. You can then create a DLL that matches it and see what happens.

Note that we do not claim that this security mechanism is uncrackable, very little is. However it would take some determined effort to defeat it. Also bear in mind that every distributable created is different, and so is every security DLL, so a generalized crack is unlikely.

Also please note that we aren't going to tell you how the security algorithms work, however much you need to know. And if you need an implementation of a public key cryptography mechanism or similar then we are happy to talk about the possibilities, but you will have to fund the development costs.