Webhelp on password-secured website (HTTPS)

Please post all questions and comments regarding Help & Manual 7 here.

Moderators: Alexander Halser, Tim Green

Post Reply
Peter Carr
Posts: 4
Joined: Sun Jul 10, 2016 1:03 am

Webhelp on password-secured website (HTTPS)

Unread post by Peter Carr »

I want my Webhelp to be available only to users of my program, not to anyone browsing the internet.

The Webhelp is hosted by site44.com and its address is (say) https://myhelp.site44.com.

I need my program to be able to open the webhelp in the user's default browser. The old way was to transmit the password in the URL like so:

Code: Select all

https://password=mypassword@myhelp.site44.com
My Delphi Firemonkey program can open a URL such as the above with the following code:

Code: Select all

sCommand := 'https://password=mypassword@myhelp.site44.com';
{$IFDEF MSWINDOWS}
  ShellExecute(0, 'OPEN', PChar(sCommand), '', '', SW_SHOWNORMAL);
{$ENDIF MSWINDOWS}
{$IFDEF POSIX}
  _system(PAnsiChar('open ' + '"' + AnsiString(sCommand) + '"'));
{$ENDIF POSIX}
The trouble is most web browsers no longer accept transmitting the password in the URL because it is insecure. So I need some other way to send the password.

I know you are not familiar with Firemonkey but I am hoping you may be able to indicate some general approach to programmatically accessing Webhelp on an https site. If you can do so, then maybe I can adapt the approach to Firemonkey.

I've tried asking on the Firemonkey section of Stackoverflow but so far none of the Firemonkey experts there have been able to assist.
User avatar
Tim Green
Site Admin
Posts: 23156
Joined: Mon Jun 24, 2002 9:11 am
Location: Bruehl, Germany
Contact:

Re: Webhelp on password-secured website (HTTPS)

Unread post by Tim Green »

Hi Peter,

I think you've really answered your own question: Browsers are now blocking password access via the URL so that avenue is now closed, or at least closing fast. So you will either need to set up a separate login page if your users are coming from different platforms, or integrate your Firemonkey solution (our developers are actually working with Firemonkey now) in your application to allow them to open the help from there.

All that being said, it's important to be aware that a simple one-password folder provides very low security. It does prevent search engine indexing effectively and access by random users, but a single password for multi-user access will get known and passed around very quickly. Actually, even a login system with a separate password for each user doesn't really help all that much, because it just takes one user passing around their credentials to nullify the system. The net effect then is really that it just creates an annoyance for the honest users who are forced to log in every time they use the system. And you lose the advertising effect of making it available to people who may then think, "Hey, that's interesting, maybe I could do something with that product."

The bottom line is that password-protecting documentation is only a net win if the documentation really does contain very sensitive information. And if it does, a protected WebHelp folder probably doesn't provide enough protection. Otherwise the negatives will almost always significantly outweigh the benefits of just making it generally available. 8)
Regards,
Tim (EC Software Documentation & User Support)

Private support:
Please do not email or PM me with private support requests -- post to the forum directly.
Post Reply