This page contains a collection of matters related to website security.

A major reason for the 2023 reword of the LLIR website was to improve security. LLIR adopted the approach of dividing the website into two areas, one of which is available to the public. This public area includes the Front Page of the website opened by the address llirto.ca. Members must login access the member area that contains all pages that only members should see. For details on how that goal is achieved, see the sections Initial Priority, Headers and Menus on the Implementation Strategy page.

Don’t Break Login Security

Do not create a link from any page that a user can see before logging in to any page intended for members only. The mechanism that prevents unauthorized users from reading pages that only LLIR members should see is Login. In this discussion, the term public area refers to menus, buttons, pages and all that users can see before logging in. Three design features keep the public area of the website strictly separate from the member-only area:

  • After logging in, members see a larger menu and more buttons than appear in the public area.
  • The search bar does not appear in the site header until after a member logs in.
    Non-members cannot search the entire website for occurrences of specified words or phrases.
  • The destinations of all links from the public area are also in the public area.
    Exception: links to other websites and non-interactive documents like image files are safe.

The temptation to link from the public area to a member-only page — for example to the Calendar page — may be an indication that the Calendar should be public. If changing the status of Calendar is not the answer, don’t link to it. Calendar may look safe because it has no in-page links. However, consider that the website is constantly growing and changing and that adding links to provide a richer net of navigation paths is encouraged. If (or when) an in-page link from Calendar to another member-only page is added, a portal into the member-only area of the website is opened to non-members.

Adding a Page to Public Area

An additional feature, a conditional element, displays a message Please Log In on a blank page whenever a user accesses a member-only page without logging in. If you add a page to the public area to the website you must modify the conditional element to supress this message. For an explanation and instructions for doing that, see How to Suppress the Please Log In Message.