Jump to content

Admin with Login


This topic is 7794 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Hi there!

I've got a security question:

My webroot is like this:

- index.html

- index2.html

- mailme.html

^images

^admin

--adminindex.html

--adminindex2.html

Now i want to protect my admin directory with a login (login.html form)(i have a Username and Password field in my database), after login they have to go to the adminindex.html file. I also want that adminindex2.html is protected, so that file has to check if i'm already logged in (cookie?).

I hope somebody can help me with this one!

Thanks,

Denniz

Link to comment
Share on other sites

RE: I also want that adminindex2.html is protected, so that file has to check if i'm already logged in (cookie?).

For that you can use "forced frames" technique. In short -- you put simple JS in head of your page to check that it is in frame.

First Frameset is the login page.

If user has disabled JS, you will send him again to the login Frameset.

And Web Security will improve things tremendously although it has big limitations or holes or both.

Link to comment
Share on other sites

I dont use frames in my admin (its a home made one with forms). And if i secure with the Web Security nothing happends when i go to my admin (no password pop-up or something).

Is there a way i can do it with a login page (which will leave a cookie) and protect the rest with a cookie check or something?

Link to comment
Share on other sites

I know have a login page, which works with my user/pass fields in my database:

[color:"red"]

<form action="FMPro" method="post" name="loginform">

<input type="hidden" name="-DB" value="web_site.fp5">

<input type="hidden" name="-Format" value="startindex.html">

<input type="hidden" name="-Type" value="user">

<table width="250" border="0" cellspacing="0" cellpadding="0">

<tr>

<td>Loginnaam</font></td>

<td>

<input type="hidden" name="-op" value="=">

<input type="text" name="guser" size="20">

</td>

</tr>

<tr>

<td>Password</font></td>

<td>

<input type="hidden" name="-op" value="=">

<input type="password" name="gpassword" size="20">

</td>

</tr>

<tr>

<td>

<input type="submit" name="-find" value="Login!">

</td>

</tr>

</table>

</form>

the login works great! but every source checker can pass this login (see hidden type=-Format). Does anyone have a solution for this??

ciao,

Denniz

Link to comment
Share on other sites

Here is some information about how to protect your format files:

"About the cdml_format_files folder

Use this folder to protect your CDML format files for FileMaker Pro Custom Web Publishing.

When you store your CDML format files in this folder, the FileMaker Pro Web Companion will process these format files as part of CGI requests, but their contents cannot be viewed directly by HTTP requests.

The cdml_format_files folder can only be used to secure your CDML format files. It cannot be used to hide images or static html files.

For more information about using the cdml_format_files folder as part of a comprehensive approach to Web security, see the Web Security.pdf document (FileMaker Pro folder > Web Security > Web Security.pdf)."

You can use "Exact Search" in the "Web Security" database to protect access to the database. Check the "Web Security.pdf" for details on this.

If you want to protect the source of your pages from being viewed from the browser, you may have to use various disguise methods which are mere deterrents frown.gif

All the best.

Garry

Link to comment
Share on other sites

Gary,

the above cdml_format_files folder.

If a html file with CDML tags is accessed that resides in this folder, your saying that the source code for these files cant be viewed?

What about the url information in the address bar? does filemaker also strip this of all the information such as database name, layout name, recid and the likes?

LR

Link to comment
Share on other sites

Larry,

The source can not be viewed directly. That is, if somebody uses a URL which leads them to a Format file without going through WebCompanion.

Unfortunately, FM can't control the appearence of the URL. I tend to use forms for almost everything I do. Hence, no URL with CDML embedded.

All the best.

Garry

Link to comment
Share on other sites

Thanks Gary. I figured that was going to be the case. I just was not familiar with the cdml_format_files folder in the new version 6 and was curious what it did.

I am currently implementing some of your suggestions from another post to control the appearance of the URL.

Larry

Link to comment
Share on other sites

This topic is 7794 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.