Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

This topic is 8009 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted

Hi there!

I've got a security question:

My webroot is like this:

- index.html

- index2.html

- mailme.html

^images

^admin

--adminindex.html

--adminindex2.html

Now i want to protect my admin directory with a login (login.html form)(i have a Username and Password field in my database), after login they have to go to the adminindex.html file. I also want that adminindex2.html is protected, so that file has to check if i'm already logged in (cookie?).

I hope somebody can help me with this one!

Thanks,

Denniz

Posted

RE: I also want that adminindex2.html is protected, so that file has to check if i'm already logged in (cookie?).

For that you can use "forced frames" technique. In short -- you put simple JS in head of your page to check that it is in frame.

First Frameset is the login page.

If user has disabled JS, you will send him again to the login Frameset.

And Web Security will improve things tremendously although it has big limitations or holes or both.

Posted

I dont use frames in my admin (its a home made one with forms). And if i secure with the Web Security nothing happends when i go to my admin (no password pop-up or something).

Is there a way i can do it with a login page (which will leave a cookie) and protect the rest with a cookie check or something?

Posted

I know have a login page, which works with my user/pass fields in my database:

[color:"red"]

<form action="FMPro" method="post" name="loginform">

<input type="hidden" name="-DB" value="web_site.fp5">

<input type="hidden" name="-Format" value="startindex.html">

<input type="hidden" name="-Type" value="user">

<table width="250" border="0" cellspacing="0" cellpadding="0">

<tr>

<td>Loginnaam</font></td>

<td>

<input type="hidden" name="-op" value="=">

<input type="text" name="guser" size="20">

</td>

</tr>

<tr>

<td>Password</font></td>

<td>

<input type="hidden" name="-op" value="=">

<input type="password" name="gpassword" size="20">

</td>

</tr>

<tr>

<td>

<input type="submit" name="-find" value="Login!">

</td>

</tr>

</table>

</form>

the login works great! but every source checker can pass this login (see hidden type=-Format). Does anyone have a solution for this??

ciao,

Denniz

Posted

Not only source checker smile.gif But that doesn't matter with forced frames.

Furthermore if you haven't set WC for "exact search" everyone can get anything from WC without any passwords.

Posted

i have FM 6 but how can i protect my format files? and how do i change my database to "exact search"? (maybe its too early today wink.gif )

Posted

Here is some information about how to protect your format files:

"About the cdml_format_files folder

Use this folder to protect your CDML format files for FileMaker Pro Custom Web Publishing.

When you store your CDML format files in this folder, the FileMaker Pro Web Companion will process these format files as part of CGI requests, but their contents cannot be viewed directly by HTTP requests.

The cdml_format_files folder can only be used to secure your CDML format files. It cannot be used to hide images or static html files.

For more information about using the cdml_format_files folder as part of a comprehensive approach to Web security, see the Web Security.pdf document (FileMaker Pro folder > Web Security > Web Security.pdf)."

You can use "Exact Search" in the "Web Security" database to protect access to the database. Check the "Web Security.pdf" for details on this.

If you want to protect the source of your pages from being viewed from the browser, you may have to use various disguise methods which are mere deterrents frown.gif

All the best.

Garry

Posted

Gary,

the above cdml_format_files folder.

If a html file with CDML tags is accessed that resides in this folder, your saying that the source code for these files cant be viewed?

What about the url information in the address bar? does filemaker also strip this of all the information such as database name, layout name, recid and the likes?

LR

Posted

Larry,

The source can not be viewed directly. That is, if somebody uses a URL which leads them to a Format file without going through WebCompanion.

Unfortunately, FM can't control the appearence of the URL. I tend to use forms for almost everything I do. Hence, no URL with CDML embedded.

All the best.

Garry

Posted

Thanks Gary. I figured that was going to be the case. I just was not familiar with the cdml_format_files folder in the new version 6 and was curious what it did.

I am currently implementing some of your suggestions from another post to control the appearance of the URL.

Larry

Posted

Hi, Garry -- I started using more POST forms, too, but my detail pages still had CDML url's. Do yours, too, or did you manage to hide them somehow after your "hit list" was generated?

Much appreciated, ST.

This topic is 8009 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.