I have published Articulate Storyline 2 courses through an LMS which requires users to login. However, I have found that the courses can be accessed without using the LMS login by directly accessing the story.html file.
How can I prevent this? Any advice would be greatly appreciated. Thanks in advance.
The courses can be accessed from different PC using different IP address. For example, instead of going through site at www.xxxxxx.com and logging in, the course can be accessed by typing in www.xxxxxx.com/xxx/x/x/story.html. Here all the content can be viewed and interacted with by a non-authorized user and none of the information is tracked or reported.
If that is the case, there might be a security problem with your LMS. There is no way to secure Storyline Published package within Storyline. Your LMS administrator should check why non-authorized users are able to access the course.
It looks that your sample link doesn't have a secure HTTPS link. Please check if you are running on a secure website and be sure the said non-authorized user is not currently login. Better clear your browser cache to check just to make sure you are not login on the site.
Cleared cache and have ensured that unauthorized user is not logged in but unfortunately problem still persists. LMS provider says it is an Articulate issue.. Deflection?
What LMS you are using? Articulate should not be the problem why unauthorized users are able to access the course. This is purely LMS Security and or Server issues and not Articulate.
When you published did you publish for LMS or for web? The story.html file is what is often seen as a part of the web publish, and since we don't have a way to protect or mask the URL from the publish to web and we always tell folks to point to the story.html. If you're publishing for LMS the file URL to play the course would be specific to your LMS system and as such we don't have a standard link included or documented.
I'm publishing for LMS but the course is still accessible through the story.html file. Is there any explanation for this? Is this a security issue related to my LMS? It is like there is a backdoor for accessing our course without logging in through the LMS.
Did the stakeholder see it somewhere such as in the published output folder? There is a story.html file created in there, but when you're uploading to an LMS you typically point to the index_lms.html if your LMS requires you to pick a launch file. I often test courses in SCORM Cloud, and I know based on the links generated from that site you can't just change the ending to be story.html or story_html5.html as they include some unique numbers and identifiers.
Have you reached out to your LMS team about URL masking or such?
If your LMS can't or won't protect the content, you may need to find one that will.
You can create a login page at the beginning of your SL file, but everybody would have the same password. I have to assume that people that would pass on the URL will pass on the password, so that's pretty weak security
11 Replies
Hi,
Can you check if you are currently login using your cache session?
Hi Rex,
The courses can be accessed from different PC using different IP address. For example, instead of going through site at www.xxxxxx.com and logging in, the course can be accessed by typing in www.xxxxxx.com/xxx/x/x/story.html. Here all the content can be viewed and interacted with by a non-authorized user and none of the information is tracked or reported.
Hi Brian,
If that is the case, there might be a security problem with your LMS. There is no way to secure Storyline Published package within Storyline. Your LMS administrator should check why non-authorized users are able to access the course.
It looks that your sample link doesn't have a secure HTTPS link.
Please check if you are running on a secure website and be sure the said non-authorized user is not currently login. Better clear your browser cache to check just to make sure you are not login on the site.
Hi Rex,
Cleared cache and have ensured that unauthorized user is not logged in but unfortunately problem still persists. LMS provider says it is an Articulate issue.. Deflection?
Hi Brian,
What LMS you are using?
Articulate should not be the problem why unauthorized users are able to access the course.
This is purely LMS Security and or Server issues and not Articulate.
Hi Brian,
When you published did you publish for LMS or for web? The story.html file is what is often seen as a part of the web publish, and since we don't have a way to protect or mask the URL from the publish to web and we always tell folks to point to the story.html. If you're publishing for LMS the file URL to play the course would be specific to your LMS system and as such we don't have a standard link included or documented.
Hi Ashley,
I'm publishing for LMS but the course is still accessible through the story.html file. Is there any explanation for this? Is this a security issue related to my LMS? It is like there is a backdoor for accessing our course without logging in through the LMS.
Hi Brian
where are your users seeing the story.html file to click on the link?
Hi Wendy,
They aren't seeing it as of yet but it's a security issue that a stakeholder is concerned about and has asked to be resolved.
Hi Brian,
Did the stakeholder see it somewhere such as in the published output folder? There is a story.html file created in there, but when you're uploading to an LMS you typically point to the index_lms.html if your LMS requires you to pick a launch file. I often test courses in SCORM Cloud, and I know based on the links generated from that site you can't just change the ending to be story.html or story_html5.html as they include some unique numbers and identifiers.
Have you reached out to your LMS team about URL masking or such?
If your LMS can't or won't protect the content, you may need to find one that will.
You can create a login page at the beginning of your SL file, but everybody would have the same password. I have to assume that people that would pass on the URL will pass on the password, so that's pretty weak security
This discussion is closed. You can start a new discussion or contact Articulate Support.