An "extranet" is a part of a website that is not publicly accessible.  To gain access to the extranet, you must first provide some authentication information (typically a login ID and password).  This mechanism is used to access private areas of the website meant for members, customers, suppliers, employees and staff, and so on, but not the general public.

The advantages of an extranet are:

• leveraging the global reach of the Internet to provide a private networked service
• authenticating your viewers so you know who they are
• "firewalling" certain services for greater security
  

The disadvantages are:

• what the public cannot see, neither can the search engines
• requires cookies to be enabled to store some kind of persistent identity information
• private pages are rendered dynamically, so they take more server resources
  

How to set up an extranet using ExSite

ExSite Webware has a privacy setting for web pages, which can be one of:

• public - anyone may view the page
• members - only a logged-in user may view the page
• administrators - only a person with privileges to maintain the site may view the page
  

Creating an extranet is as simple as setting the "privacy" field for a web page to "members".  If any non-member navigates to that page, they will get an authentication challenge (ie. will be required to enter a valid login and password).  The actual page will not be displayed unless a valid login and password are given.  Once the user has been authenticated, they will be able to view all member-only pages for that site or section without re-entering their password.  (If they have turned off cookies, however, ExSite will forget who they are and ask again.)

If a regular member navigates to an administrators-only page, the same thing happens again.  They will need to enter the login and password of an administrator to view the page.

If a regular member navigates to a private page in another site or section, they will again be asked for a valid login and password.  Private pages are private only to members of that section.  A consequence of this is that you can set up several sub-sections with completely different groups of users in each.

From the point of view of ExSite, a "member" is any person who can log in to a private part of the website.  It does not necessarily imply membership in an organization, or any other affiliation with the website owners.

Member-only Areas

You may set the privacy of any page anywhere in the site.  (The home page, index.html, should always be public, however.)  In principle, your private pages can be scattered all over the place.

To keep things organized and easy to navigate, it is common to group private pages into a single part of the site map.  This makes it easier to think of the private pages as a single "area" of the site.  To do this, simply group all of your private pages under the same parent page.  The parent page can be given a menu label of "Members" or "Login" to indicate that it is the entry point to a private area.

Menu Privacy

Private pages still appear in the automatic site menus even when you are not logged in.  (Otherwise there is no way of getting to a private page in order to log in.)

Sometimes you want to keep even the menu links private until the user has logged in.  To do this, group all of your private pages under the same parent page, and make that parent page also private to members.  The submenu of all the private pages will not be displayed until the parent page is viewable, and the parent page will not be viewable until the user has entered their login and password.

Customized Login Screens

The login screen that ExSite throws up when you are trying to view a private page is quite plain.  You can specify a system logo in the ExSite configuration file, which will be used for a banner on the login form.  If you want a fully-templated login screen, read on.

If an unknown user tries to view a private page, the system regards that as an error, and as its error message, displays a login form.  Error messages are untemplated by default, but you can specify a special error template as follows:

• create a template in your site;  it may be a stand-alone template, or it can inherit from existing templates to get logos, stylesheets, etc.
• set the publication directory of this template to "_ERROR"
• make any necessary changes to this template and layout to remove information that should not be seen by unknown users (for example menus, sidebars, etc.)
  

Static pages and privacy

Static pages are published to regular files and are always visible to the public.  Private pages are displayed dynamically.  If you change a public, static page to private, new revisions of the page will only be viewable dynamically, and all links to the page should also change to using dynamic URLs.

However, the old published file will still be present on disk.  This legacy version of the page may still be reachable from bookmarks or search engines.  To avoid this, unpublish the page, which removes its disk files.  After doing this, old bookmarks or search engine entries will result in a 404 (page not found) error.  (To avoid the 404 error, you can add some Apache redirects from the old static URL to the new dynamic URL, but that is beyond the scope of this document.)

If you really must have a static page that is also private, then you can make use of .htaccess files to password-protect particular files or directories on your server.  This is a feature of Apache, not ExSite.  That means that it does not use ExSite's database of members and passwords to control access;  it has its own list of usernames and passwords.  Consult your Apache documentation for details.

Notes on Security

Extranets provide an extra layer of security around sensitive areas of your site that you may want to protect from public view.  It should be noted that the security provided by web connections is not very strong.  It is good enough to keep out casual prying eyes, but if your data is particularly sensitive you will want to consider additional security measures as well, such as:

• Use a secure server (https).  This will encrypt all web traffic between the server and the user, which helps to prevent passwords or sensitive information from being visible in transmission.
• Use more secure password storage.  ExSite defaults to storing its passwords in cleartext, which is most convenient for password reminders and password recovery.  If your database gets hacked, however, your passwords are all compromised.  (Of course if your database is hacked, ALL of your data is compromised, so it may not be a real issue.)  ExSite has options for more secure password storage, including both reversible and irreversible encryption.