Secure personal profiles

Hi!

I’m building a video sharing platform using Webflow.
I want to use Memberstack to create user dashboards where they could see incoming video requests as well as videos that they requested (purchased) from other users.

From what I saw in some of the tutorials (like here - https://nocodequest.com/unique-member-dashboards-in-webflow-using-memberstack/), user dashboard pages are pages of a specific CMS.

As we’re working with personal information, we’re worried about security.

My questions are:

  • Is there something stopping a logged user from viewing a profile of another person if they know a specific URL?
  • How secure is MemberStack in general? Will it hold if someone is deliberately trying to get access to someone else’s account?
    What if they block Javascript execution?

I’d imagine that these questions might’ve been asked before, it would be great if someone could point me towards answers to them!

Thanks!

Welcome to the Forum :wave:

You have the ability to set individual CMS pages / static pages to be viewable only by a certain member. To achieve this, I personally use Zapier. Once a member is created, Zapier creates a new Webflow CMS Item (the client dashboard), and then goes on to populate that member’s Memberstack profile with the member-only URL (for the URL itself, I set this to the Webflow CMS Item ID. Keeps it nice and simple then). It works really nicely.

Here’s a useful help article which explains it better than me: https://help.memberstack.com/en/articles/3925216-member-specific-pages


Regarding the Javascript blocking, you can use a snippet of code to redirect any user blocking scripts to a page of your choice. For me, I have a specific page called “Javascript Blocked” which I redirect to, which explains why they’ve been taken to that page. You could if you wish simply loop them back to the homepage. Take note of this message on the Memberstack site though:




Here is the snippet of code you need to achieve the redirect:

<!--Redirect if JS is disabled-->

<noscript>
   <meta http-equiv="refresh" content="0; url=https://www.memberstack.io" />
</noscript>

I hope this helps.

Hi Andy,
Many thanks for your quick & detailed reply!

First of all, thanks for a solution regarding JavaScript blocking, I guess it would be enough for us.

Regarding member-specific pages though - I’ve seen this tutorial before and that’s exactly what I was concerned about.
I understand that the “Dashboard” link will be sending people to their member page (I also understand the Zapier integration to create these link).
My question is - if you’re logged in with your account but happen to know another person’s specific URL, will you be able to see their page?
From what I can see Memberstack is blocking specific URL directories (so in our case it will be say …/members/…) but if I know someone else’s id there’s nothing stopping me for accessing their page?

That’s a perfectly valid concern, and one that I harboured at first. I’m hesitant with my response here and will try and word it carefully as I certainly don’t speak for Memberstack - and indeed, this could be user error (me) rather than a problem with MS itself.

Truthfully? There is an immediate vulnerability in that you have to wait for the page to load before MS script realises you aren’t logged in. When I open up a member page in a site I have running using their unique URL, there is approx 0.25-0.5 second opportunity for me to hit Esc and stop the page load, leaving the page open on the dashboard before MS kicks in and realises I’m not logged in.

For my use-case this isn’t a problem - there is absolutely nothing sensitive on the page / nothing that can be changed without my manual intervention. Added to the fact that every URL is unique (e.g. /dashboard/5eba73d70468c201045b81ea), this provides sufficient security for my use-case. However, this is a good example of why Memberstack itself stresses that you must not place sensitive information on the page!

I will stress that the above could simply be due to me implementing it incorrectly - I am by no means an expert in MS. I’d recommend we see what @Josh-Lopez can advise on the topic.

@Josh-Lopez has just written an article about the concern I mention above :partying_face:

2 Likes

@JollyGoodWeb, thanks a lot, that’s super helpful!
Still, a bit worried about people having access to other people’s unique URLs though - would be great if there’s some workaround for that!

1 Like