Admin with Login

[Denniz]

Hi there!

I've got a security question:

My webroot is like this:

- index.html

- index2.html

- mailme.html

^images

^admin

--adminindex.html

--adminindex2.html

Now i want to protect my admin directory with a login (login.html form)(i have a Username and Password field in my database), after login they have to go to the adminindex.html file. I also want that adminindex2.html is protected, so that file has to check if i'm already logged in (cookie?).

I hope somebody can help me with this one!

Thanks,

Denniz

[Garry Claridge]

You can use the "Web Security" database if the admin format files are using different actions e.g. "-edit".

All the best.

Garry

[Anatoli]

RE: I also want that adminindex2.html is protected, so that file has to check if i'm already logged in (cookie?).

For that you can use "forced frames" technique. In short -- you put simple JS in head of your page to check that it is in frame.

First Frameset is the login page.

If user has disabled JS, you will send him again to the login Frameset.

And Web Security will improve things tremendously although it has big limitations or holes or both.

[Denniz]

I dont use frames in my admin (its a home made one with forms). And if i secure with the Web Security nothing happends when i go to my admin (no password pop-up or something).

Is there a way i can do it with a login page (which will leave a cookie) and protect the rest with a cookie check or something?

[Denniz]

I know have a login page, which works with my user/pass fields in my database:

[color:"red"]

<form action="FMPro" method="post" name="loginform">

<input type="hidden" name="-DB" value="web_site.fp5">

<input type="hidden" name="-Format" value="startindex.html">

<input type="hidden" name="-Type" value="user">

<table width="250" border="0" cellspacing="0" cellpadding="0">

<tr>

<td>Loginnaam</font></td>

<td>

<input type="hidden" name="-op" value="=">

<input type="text" name="guser" size="20">

</td>

</tr>

<tr>

<td>Password</font></td>

<td>

<input type="hidden" name="-op" value="=">

<input type="password" name="gpassword" size="20">

</td>

</tr>

<tr>

<td>

<input type="submit" name="-find" value="Login!">

</td>

</tr>

</table>

</form>

the login works great! but every source checker can pass this login (see hidden type=-Format). Does anyone have a solution for this??

ciao,

Denniz

[Garry Claridge]

I believe FM6 allows you to protect your format files from direct access.

All the best.

Garry

[Anatoli]

Not only source checker But that doesn't matter with forced frames.

Furthermore if you haven't set WC for "exact search" everyone can get anything from WC without any passwords.

[Denniz]

i have FM 6 but how can i protect my format files? and how do i change my database to "exact search"? (maybe its too early today )

[Anatoli]

In v. 6 is one folder not accessible but served.

Exact search is in Web Security database.

[Denniz]

it still doesn't works, isn't there another way?? maybe some java/CDML script i can put in my not-protected files?

[Garry Claridge]

Here is some information about how to protect your format files:

"About the cdml_format_files folder

Use this folder to protect your CDML format files for FileMaker Pro Custom Web Publishing.

When you store your CDML format files in this folder, the FileMaker Pro Web Companion will process these format files as part of CGI requests, but their contents cannot be viewed directly by HTTP requests.

The cdml_format_files folder can only be used to secure your CDML format files. It cannot be used to hide images or static html files.

For more information about using the cdml_format_files folder as part of a comprehensive approach to Web security, see the Web Security.pdf document (FileMaker Pro folder > Web Security > Web Security.pdf)."

You can use "Exact Search" in the "Web Security" database to protect access to the database. Check the "Web Security.pdf" for details on this.

If you want to protect the source of your pages from being viewed from the browser, you may have to use various disguise methods which are mere deterrents

All the best.

Garry

[ibiubu]

Gary,

the above cdml_format_files folder.

If a html file with CDML tags is accessed that resides in this folder, your saying that the source code for these files cant be viewed?

What about the url information in the address bar? does filemaker also strip this of all the information such as database name, layout name, recid and the likes?

LR

[Garry Claridge]

Larry,

The source can not be viewed directly. That is, if somebody uses a URL which leads them to a Format file without going through WebCompanion.

Unfortunately, FM can't control the appearence of the URL. I tend to use forms for almost everything I do. Hence, no URL with CDML embedded.

All the best.

Garry

[ibiubu]

Thanks Gary. I figured that was going to be the case. I just was not familiar with the cdml_format_files folder in the new version 6 and was curious what it did.

I am currently implementing some of your suggestions from another post to control the appearance of the URL.

Larry

[Steve T.]

Hi, Garry -- I started using more POST forms, too, but my detail pages still had CDML url's. Do yours, too, or did you manage to hide them somehow after your "hit list" was generated?

Much appreciated, ST.