I’m aware that once the password for a protected page has been entered by the user, it depends on the user’s browser settings to keep that cookie, i.e. the page can be viewed again without password.
Now what happens if the author of the protected page changes the password? Will the browser still show the page based on the old cookie or it will ask for new password?
Also what are some ways, one can atleast deter the users from viewing the page without password? I mean, what ways we can ensure (or close to ensure) that each view of a protected page requires the password?
What behavior are you seeing when you test it?
I cannot recall which behavior the legacy password-protection feature follows.
However, I’ve recently tested Webflow Membership auth tokens and they do not invalidate immediately even when you delete the user’s account. Essentially you have to wait for about 3 days for that token to invalidate, and then the user will be logged out.
And as there are no explicit settings for auth token duration, you cannot narrow that timeout window explicitly.
One way you may be able to deter this is to delete the cookie yourself using client-side script- however;
- you’ll need to locate the correct cookie
- httponly cookies won’t be accessible by script
- the browser may have script disable, which would defeat this measure
Overall it’s important to understand that Webflow’s design approach to user-content security leans towards usability and simplicity, rather than ironclad security. It’s designed for gating basic content access, and as such it doesn’t have well developed token-revocation features.
You’d likely need something else for that, I’d check Memberstack and see if it handles account-disables differently.