web login

[david s]

Hello,

i'm testing fmp with web security db.

I need to let the visitor log in with an http form (not with the standard window of web security db).

How can i pass the username to web security db?

in my db i've set up a field called password wich is the same of client username of web security db.

Thanks

[Anatoli]

RE: in my db i've set up a field called password wich is the same of client username of web security db.

Thanks

So everyone can hack the password file and display all passwords

[Garry Claridge]

If you use Javascript you can build a URL which looks like this:

http://garry:mypassword@localhost:1433/FMPro?-db=gctest.fp5&-lay=cgi&-format=sectest.html&-findall

---

This will avoid the HTTP authentication window, yet use the 'Web Security' database.

All the best.

Garry

[david s]

Thanks for your post:

A few question:

- the port number is necessary? what is it aim?

- In which sense "if you use javascript"? I need to prepare a javascript code or it's necessary only the link you posted?

Other questions:

I've tested ws db and this is what i've discovered:

- If i make a user "everyone" with no password (browse, script) and then another user "user1" with different privilegies (browse,script,edit) my dbs can't be browsed.... and everytime it promts the login window. If i delete "user1" everything is ok. Missing something?

[Garry Claridge]

- the port number is necessary? what is it aim?

The port number is not necessary if you are using port 80. I have Apache using port 80.

- In which sense "if you use javascript"? I need to prepare a javascript code or it's necessary only the link you posted?

Here is an example:

<html>

<head>

<title>Call Sec Test</title>

<meta name="generator" content="BBEdit 6.5.2">

<script>

function login()

{

var sSecDetails ;

sSecDetails = document.myform.username.value + ":" ;

sSecDetails = sSecDetails + document.myform.mypassword.value + "@" ;

document.location = "http://" + sSecDetails + "localhost:1433/FMPro?-db=gctest.fp5&-lay=cgi&-format=sectest.html&-findall" ;

}

</script>

</head>

<body>

Login Details<br>

<form name="myform">

<input type="text" name="username"><br>

<input type="password" name="mypassword"><br>

<input type="button" value="Login" onclick="login();">

</form>

</body>

</html>

---

In the WS Database use "All Users" for the no password user. Only have browse rights for this user.

What is the purpose of your script? You may not need it!

Hope this helps.

Garry

[david s]

Thanks for your time, i'll try it.

The pourpose of the scripts are differents:

send to me an email when a new user sign up and to him to retain the login password, ecc...

Thanks a lot

[Anatoli]

None of that require script

[david s]

ok many thanks i've tried and everything seems to work fine.

Two more quesyions:

1. The form button doesn't work fine: when i put log+pass and press enter nothing happens, when i click on the button everything is ok.

2. After the login procedure i need a link to let the user create a new record. (as a test for privilegies). How should be this link, i mean where are stored the information about log+pass? directly in the link as "fmpclientusername"?

something like this? &-new]http://localhost/FMPro?.............[FMP-Clientusername]&-new

could you please write an example?

Thanks Garry

[Anatoli]

For the first part -- ad just another hidden field with the same action like is in Submit -- -new or -edit.

[david s]

Sorry but i don't understand: first part of my questions?

You mean to insert an hidden field in the login form to make the button of the form work?

Thanks

[Garry Claridge]

I will have some time tomorrow to provide some more information

All the best.

Garry

[david s]

Thanks to garry and to everyone who is helping me.

[Anatoli]

Yup

[Garry Claridge]

David,

Here is a method for sending the login by pressing "return/enter" after the password is entered:

<html>

<head>

<title>Call Sec Test</title>

<meta name="generator" content="BBEdit 6.5.2">

<script>

function login()

{

var sSecDetails ;

sSecDetails = document.myform.username.value + ":" ;

sSecDetails = sSecDetails + document.myform.mypassword.value + "@" ;

document.location = "http://" + sSecDetails + "localhost:1433/FMPro?-db=gctest.fp5&-lay=cgi&-format=sectest.html&-findall" ;

}

</script>

</head>

<body>

Login Details<br>

<form name="myform" onsubmit="Javascript: login(); return false;">

<input type="text" name="username"><br>

<input type="password" name="mypassword" onchange="Javascript:document.myform.subbutton.focus();"><br>

<input type="button" name="subbutton" value="Login" onclick="login();" onkeypress="login();">

</form>

</body>

</html>

---

I have tested this with IE 5.2 on Mac OS X 10.2

Hope this helps.

Garry

[Garry Claridge]

You can attempt to create a new record with the very first URL in the login file. The user+password are embedded there.

After a user has logged-in they will not need to send the username+password again as the browser remebers them and sends them in the http header with every request.

Hope this helps.

Garry

[david s]

ok, it works.

But now i've a little new problem:

BEFORE THE WEB SECURITY DB

User logged in with a form which checked the field login and password and found his record to make changes on it. (on the db i have user and passowrd)

AFTER WEB SECURITY

I've set up a form (yours) to autenticate the user who has now edit privilegies.

The fact is that after the log in the user can access all the records and edit all.

I need to let the user access only his record... any ideas?

I know why it happens but i don't know how to resolve it and have:

1. User access only his records

2. User edit only his records

Then i have another problem but next time.

Thanks

David

[Garry Claridge]

A pdf called "Web Security Procedures" on the Filemaker site explains how to do this.

All the best.

Garry

[Anatoli]

It is quite easy, if you will carry the user login ID through session in Token.

Then on link "Edit your record" you will include his/hers ID in a search conditions, so only one correct record will be shown with correct ID.

That also calls for "forced frame" technique, so nobody can modify the URL or open something into new page without frame and maybe you can use even "chromeless" windows.

[Garry Claridge]

Does each User have only one record or do they have more than one record?

Garry

[david s]

Garry the user could have more than one record (some one and others more than one).

Anatoli even if i have never used token i'll try with a little tests... i'll let you know what kind of mess i'm going to generate -)

Thanks

David

[Garry Claridge]

I guess it is a "username" field that identifies a record as belonging to a particular User?

If this is so, the initial (login) request can contain the username for searching on the main database. After that, as Anatoli said, a Token can be used to keep track of that User and their records.

All the best.

Garry

p.s. Ready for the Token questions now

[Anatoli]

Just small warning -- you must carry the token all the way in all links or forms from page to page.

[Garry Claridge]

Re: you must carry the token all the way in all links or forms from page to page

Or, use Cookies.

Garry

[Anatoli]

If they ever work I meant the FM/WebCompanion ones. I have no trouble with another cookies, server or JavaScript, just with the FM/WS I was not lucky.

BTW, till today nobody help me with that problem. I've had only the tip from FM guy with duration of 9999 -- too short for practical usage.