September 3, 200223 yr Hello, i'm testing fmp with web security db. I need to let the visitor log in with an http form (not with the standard window of web security db). How can i pass the username to web security db? in my db i've set up a field called password wich is the same of client username of web security db. Thanks
September 4, 200223 yr RE: in my db i've set up a field called password wich is the same of client username of web security db. Thanks So everyone can hack the password file and display all passwords
September 4, 200223 yr If you use Javascript you can build a URL which looks like this: http://garry:mypassword@localhost:1433/FMPro?-db=gctest.fp5&-lay=cgi&-format=sectest.html&-findall This will avoid the HTTP authentication window, yet use the 'Web Security' database. All the best. Garry
September 4, 200223 yr Author Thanks for your post: A few question: - the port number is necessary? what is it aim? - In which sense "if you use javascript"? I need to prepare a javascript code or it's necessary only the link you posted? Other questions: I've tested ws db and this is what i've discovered: - If i make a user "everyone" with no password (browse, script) and then another user "user1" with different privilegies (browse,script,edit) my dbs can't be browsed.... and everytime it promts the login window. If i delete "user1" everything is ok. Missing something?
September 4, 200223 yr - the port number is necessary? what is it aim? The port number is not necessary if you are using port 80. I have Apache using port 80. - In which sense "if you use javascript"? I need to prepare a javascript code or it's necessary only the link you posted? Here is an example: <html> <head> <title>Call Sec Test</title> <meta name="generator" content="BBEdit 6.5.2"> <script> function login() { var sSecDetails ; sSecDetails = document.myform.username.value + ":" ; sSecDetails = sSecDetails + document.myform.mypassword.value + "@" ; document.location = "http://" + sSecDetails + "localhost:1433/FMPro?-db=gctest.fp5&-lay=cgi&-format=sectest.html&-findall" ; } </script> </head> <body> Login Details<br> <form name="myform"> <input type="text" name="username"><br> <input type="password" name="mypassword"><br> <input type="button" value="Login" onclick="login();"> </form> </body> </html> In the WS Database use "All Users" for the no password user. Only have browse rights for this user. What is the purpose of your script? You may not need it! Hope this helps. Garry
September 4, 200223 yr Author Thanks for your time, i'll try it. The pourpose of the scripts are differents: send to me an email when a new user sign up and to him to retain the login password, ecc... Thanks a lot
September 5, 200223 yr Author ok many thanks i've tried and everything seems to work fine. Two more quesyions: 1. The form button doesn't work fine: when i put log+pass and press enter nothing happens, when i click on the button everything is ok. 2. After the login procedure i need a link to let the user create a new record. (as a test for privilegies). How should be this link, i mean where are stored the information about log+pass? directly in the link as "fmpclientusername"? something like this? &-new]http://localhost/FMPro?.............[FMP-Clientusername]&-new could you please write an example? Thanks Garry
September 6, 200223 yr For the first part -- ad just another hidden field with the same action like is in Submit -- -new or -edit.
September 6, 200223 yr Author Sorry but i don't understand: first part of my questions? You mean to insert an hidden field in the login form to make the button of the form work? Thanks
September 6, 200223 yr I will have some time tomorrow to provide some more information All the best. Garry
September 10, 200223 yr David, Here is a method for sending the login by pressing "return/enter" after the password is entered: <html> <head> <title>Call Sec Test</title> <meta name="generator" content="BBEdit 6.5.2"> <script> function login() { var sSecDetails ; sSecDetails = document.myform.username.value + ":" ; sSecDetails = sSecDetails + document.myform.mypassword.value + "@" ; document.location = "http://" + sSecDetails + "localhost:1433/FMPro?-db=gctest.fp5&-lay=cgi&-format=sectest.html&-findall" ; } </script> </head> <body> Login Details<br> <form name="myform" onsubmit="Javascript: login(); return false;"> <input type="text" name="username"><br> <input type="password" name="mypassword" onchange="Javascript:document.myform.subbutton.focus();"><br> <input type="button" name="subbutton" value="Login" onclick="login();" onkeypress="login();"> </form> </body> </html> I have tested this with IE 5.2 on Mac OS X 10.2 Hope this helps. Garry
September 10, 200223 yr You can attempt to create a new record with the very first URL in the login file. The user+password are embedded there. After a user has logged-in they will not need to send the username+password again as the browser remebers them and sends them in the http header with every request. Hope this helps. Garry
September 16, 200223 yr Author ok, it works. But now i've a little new problem: BEFORE THE WEB SECURITY DB User logged in with a form which checked the field login and password and found his record to make changes on it. (on the db i have user and passowrd) AFTER WEB SECURITY I've set up a form (yours) to autenticate the user who has now edit privilegies. The fact is that after the log in the user can access all the records and edit all. I need to let the user access only his record... any ideas? I know why it happens but i don't know how to resolve it and have: 1. User access only his records 2. User edit only his records Then i have another problem but next time. Thanks David
September 16, 200223 yr A pdf called "Web Security Procedures" on the Filemaker site explains how to do this. All the best. Garry
September 17, 200223 yr It is quite easy, if you will carry the user login ID through session in Token. Then on link "Edit your record" you will include his/hers ID in a search conditions, so only one correct record will be shown with correct ID. That also calls for "forced frame" technique, so nobody can modify the URL or open something into new page without frame and maybe you can use even "chromeless" windows.
September 17, 200223 yr Does each User have only one record or do they have more than one record? Garry
September 17, 200223 yr Author Garry the user could have more than one record (some one and others more than one). Anatoli even if i have never used token i'll try with a little tests... i'll let you know what kind of mess i'm going to generate -) Thanks David
September 17, 200223 yr I guess it is a "username" field that identifies a record as belonging to a particular User? If this is so, the initial (login) request can contain the username for searching on the main database. After that, as Anatoli said, a Token can be used to keep track of that User and their records. All the best. Garry p.s. Ready for the Token questions now
September 18, 200223 yr Just small warning -- you must carry the token all the way in all links or forms from page to page.
September 18, 200223 yr Re: you must carry the token all the way in all links or forms from page to page Or, use Cookies. Garry
September 19, 200223 yr If they ever work I meant the FM/WebCompanion ones. I have no trouble with another cookies, server or JavaScript, just with the FM/WS I was not lucky. BTW, till today nobody help me with that problem. I've had only the tip from FM guy with duration of 9999 -- too short for practical usage.
Create an account or sign in to comment