HOW TO PROTECT EACH PAGE starting from Login

[Leb i Sol]

Hello FM_Fans!

I am new...really new to all this FM CDML and what_not but I am getting there!

I found some info here where people suggest all kinds of things..such as modifying the Web Security DB and what now...slowly but surely I am now confused beyond repair. Goal --> CDML and Cusom Publishing

Can some one explain the following:

1.How can I protect each page from being access by a particual LOGGEDIN user?

- I know in ASP (hm hm) all it takes is a valid login session variable to be comapred = if existed GO if not existing NO GO.Anything like this in FM?

2. CDML_FORMAT_FILES folder does Exactly what? ( I know the blah blah from WebSecurityGuide.PDF but the <..../cdml_format_files/MyFormat.html> Does NOT work and Files are never never never never never never found.Period)

3. What is the point of Login in the first place if user can just type in the url... eg. http://dot.com/Login.html when I could just type ---> http://dot.com/LoggedIn.html ? what is on Loggedin.html and other pages that prevent me from accessing them?

I would really really really apprechiate answers to at least some of these questions...I am not talking about repeating what is in the guidelines for publishing I can read but rather your experience.This is what the forum is supposed to be right?

Never Trust the Vendor Ask The People...

Anyway, I hope SOMEONE has the answers I am willing to learn but this FM Web Stuff does not really convince me that 10 FM Pro6 licences were well spent money.

Thanx in advance......

p.s. If u live in LA,CAli I WILL buy a beer for an answer

[Unable]

If you know ASP you may want to search the Internet forums for ASP threads. It can be used with FMPro and there is a weblink to more ASP/FMP info on one of the threads if I recall correctly.

[Anatoli]

RE: 3. What is the point of Login in the first place if user can just type in the url... eg. http://dot.com/Login.html when I could just type ---> http://dot.com/LoggedIn.html ? what is on Loggedin.html and other pages that prevent me from accessing them?

You can use "forced frames" and it will be not problem...

You can check on each page if user is logged or not etc... Use tokens for that, and use web security database...

HTH

[Leb i Sol]

Thanx for the response Anatoli!

When you say "forced frames".... = ?

Q: Is there antoher way wihtout using frames?

Tokens=?

Q:Would Token be something as a "session variable" and how to use it?Do I have to have Users.fp5 and MyInventory.fp5 related to use the token concept?...I will stop asking and let you answer . Sorry for all the questions its just that my brain is "hungry"

I am really new to this so please understand why my questions are so "simple" in comparison.

Thank you again for the advice!

[Anatoli]

For that you can use "forced frames" technique. In short -- you put simple JS in head of your page to check that it is in frame.

First Frameset is the login page.

If user has disabled JS, you will send him again to the login Frameset.

And Web Security will improve things tremendously although it has big limitations or holes or both.

Your frameset can look like normal pages; one frame can be in size of 1 pixel. The advantage is that the first URL never changes. Even better will be chromeless frames.

Try http://www.prnet.cz/ and try to open in new window the link on right "Seznam z

[Leb i Sol]

ok ok this makes sense...JavaScript is not my favorite tool of security but I can see the logic behind it and how to hide the source code.

Is there a tutorial on Tokens?

Thank you...!

[Anatoli]

The CDML database is the best.

[Addam]

Do you know of any other security methods? I took a look at your site and I was able to preview the source code in all 3 of the HTML documents for your frames. I got all of your tokens database name etc. That's nothing major, but I got that cool Error you got that tells the user to use the back button...

Is that a FMP thing or is that something you created. How can I do that!? lol

Thanks!

~Addam~

[Leb i Sol]

ignore_

[Leb i Sol]

I did try initailly -)

However, the ODBC part of FM can not handle it...Filtering of recordsets is unreliable and sometimes it doesn't work at all. I heard of FMConnector but they still have not comeup with what I need.....VBScriopt is what I am after not pure VB...anyways it would be nice to use StandardQueryLanguage rather than CDML!

[Leb i Sol]

Anatoli here is another set of Qs

1: how to use LogOut (javascript:window.close() when you are using frames?

- is javascript:parent.close(); it works but is it sufficient?

2: How to set tokens to value of Form Field?

- eg. ( LOGIN.html )--------------------------

field :[userName] --> make it = TOKEN.1 & pass token to SomeInsertPage.html

(SomeInsertPage.html)-------------------

hidden field:[PostedBy]-->default value is TOKEN.1

soooo...?

Basically my idea is to "dragg" arround the UserName anda keep track of what records they insert so I can edit/delete those records later.

Cookies???

That is why I asked you if tokens are "session variables"...again in reference to ASP do tokens get "distroyed"...meaning can I call them after I navigated though some pages or do I have to pass them page by page by page using forms and links only?

Thank you Anatoli!

p.s. I better start saving some money because I owe you & your family a dinner for allt his help!

[Leb i Sol]

ok now I am officially going crazy with this FileMaker crap.

Can some one HELP .........I think I am missing some basics here.Now my login page doesn't work...even when the password and username are entered on my form it STILL asks the ******* password for the Users.pf5. which I can type in but why did I spend all this time trying to make a login page?

Slowly but more than SURELY I H A T E FileMaker! there I said it :X

WHAT IS THE POINT of Login page and all of the above I have asked?:? HAS anyone had this problem...I think I am going to cry now for a while..while I do this could some one look at my login.html the from part please....THANK YOU

______________________________________

<form action="FMPro" method="post" name="loginform">

<input type="hidden" name="-DB" value="Users.fp5">

<input type="hidden" name="-Format" value="Welcome.html">

<table width="35%" border="0" cellpadding="0" cellspacing="0" class="text">

<tr>

<td width="33%">User Name:</td>

<td width="67%">

<input type="hidden" name="-op" value="eq">

<input type=hidden name="UserName" Value="=">

<input type="text" name="UserName" value="" size="20">

</td>

</tr>

<tr>

<td>Password:</td>

<td>

<input type="hidden" name="-op" value="eq">

<input type=hidden name="Password" Value="=">

<input type="password" name="Password" value="" size="20">

</td>

</tr>

<tr>

<td> </td>

<td align="center">

<input type="submit" name="-find" value="Login">

<input name="Cancel" type="reset" id="Cancel" value="Cancel">

</td>

</tr>

</table>

</form>

_________________________________________________

[Anatoli]

I never claimed someone cannot see the code. It was not done with inlines and Lasso.

It is cheap WC application.

In last question you do not have specified FM layout.

Cool error is error html page.

Token must be passed from page to page otherwise it will vanish.

Get CDML database immediately

[Leb i Sol]

ok....Thank You Anatoli (again)!

-Specifying layout didn't do much differnce I am still asked to re-enter the password in that nasty pop-up? should Users.fp5 have any passwords for opening itself?( I am using Web Security DB)

I got the CDML databse....but no working samples are there....the token concept kind of makes sense but, I have "0" experience in CDML so those general format files -reference.fp5 don't really help they more misslead me (well give some ideas too ) since I do not know how to adjust/modify...eg.

-view stays as such or changes to -MyView.....and then I mix up load of issues on my pages.

Its too bad that Apple/FileMaker.com community really doesnt supply much resources and hands on examples....

Agh TOKENS....isn't it pain to keep track and dragggggg them arround the pages? eg. Token=UserName?

Is it a good idea to use tokes as baisis of filtering records for those created by the user or cookies are better solution (I noticed in your older posts you disslike them)

have you looked at CDML book -->FMwebschools.com? is it worth the time (its only $30)?

anyhow, thank you for your time!

[Leb i Sol]

CAN someone take a look at this Login.html and say what is wrong. Ones I click submit the pop-up comes to re-enter the password/username I just typed in the HTML page. IF I re-type it alll the other DB and -format functions work without asking this password again. When I started this project I had a full set of hair and few more days and I will be wearing a head piece thanx guys

here is the full code:

__________________________________________________________

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<title>Login</title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<link href="/CSS/FM.css" rel="stylesheet" type="text/css">

</head>

<body>

<table width="100%" height="542" border="0" cellpadding="0" cellspacing="0">

<tr>

<td width="17%" align="left">&nbsp;</td>

<td width="83%" align="center" valign="middle">

<form action="FMPro" method="post" name="loginform">

<input type="hidden" name="-DB" value="Users.fp5">

<input type="hidden" name="-Lay" value="START">

<input type="hidden" name="-Format" value="Welcome.html">

<input type="hidden" name="-Error" value="Login_Error.html">

<table width="35%" border="0" cellpadding="0" cellspacing="0" class="text">

<tr>

<td width="33%">User Name:</td>

<td width="67%">

<input type="hidden" name="-op" value="eq">

<input type=hidden name="UserName" Value="=">

<input name="UserName" type="text" id="UserName" Value="" size="20">

</td>

</tr>

<tr>

<td>Password:</td>

<td>

<input type="hidden" name="-op" value="eq">

<input type=hidden name="Password" Value="=">

<input type="password" name="Password" Value="" size="20">

</td>

</tr>

<tr>

<td> </td>

<td align="center">

<input name="-find" type="submit" id="-find" value="Login">

<input name="Cancel" type="reset" id="Cancel" value="Cancel">

</td>

</tr>

</table>

</form>

</td>

</tr>

</table>

</body>

</html>

_____________________________________________________

thanx

[Garry Claridge]

The "Web Security" database is causing the http login pop-up. Take off the restricted access and the pop-up will go away.

The other way to avoid the pop-up, yet still use the "Web Security" database, is to use a URL with the username and password embedded into it. For example, this URL will "login" via the "Web Security database:

htp://myusername:[email protected]/FMPro?-db=users.fp5&-lay=start&-format=welcome.html&-op=eq&username=myusername&-op=eq&password=mypassword&-find

Hope this is useful. All the best.

Garry

[Garry Claridge]

RE: 2. CDML_FORMAT_FILES folder does Exactly what? ( I know the blah blah from WebSecurityGuide.PDF but the <..../cdml_format_files/MyFormat.html> Does NOT work and Files are never never never never never never found.Period)

Remove the reference to "/cdml_format_files" in your format file path. FM will know to look there. I've tested this and it works fine.

All the best.

Garry

[Leb i Sol]

thanx for responding Garry!

The URL concept..hm a bit concerning with multiple users so I can't use that. Web Security database ( I thought) is there so I can have some security and therefor I need to use it so I can restrict acceess/display of certian fields espacially when DB used on INTRAnet...(now that I said it I wonder...)

Alternative ( that I am using) is to make a token (a unique number from UserdID-Users.pf5)when user logs in I dragg that token and use it to filter the records and display info only related to it. In other words any time I create a new record I inset unique ID of user with it.

No Right UserName and Passowrd -> NO unique ID

No Unique ID -> NO Access to anything!

This way I know who did create which record.

What do you think about this system of using Token as Security?

Does using Web Security matters then?= Can I function without and just Use FileMaker Access Priviledges that match UserName/Password in Users.fp5

Thanx for input guys!

[Leb i Sol]

I will give it a try.... what if 98% of my pages have -format...shold they be in "CDML_format_files"?

thanx

[Garry Claridge]

RE: shold they be in "CDML_format_files"? thanx

If you want to protect them from "direct" viewing.

Garry

[Garry Claridge]

RE: The URL concept..hm a bit concerning with multiple users

This is where you would use some Javascript to dynamically construct the URL. However, unless you have some Javascript programming skills look at alternative methods.

RE: Token method

I tend to prefer Token/Cookie methods to control who goes where.

All the best.

Garry

[Leb i Sol]

great!

Again, thank you Garry!

Tokens seem to be more effective rather than Web Secuiry DB...but a newbie like me had to learn the hard way !

I hope someone can learn from this...

Garry I owe you!....maybe some PhotoShop Skills can repay?

Anyway, thanx for all

[jwtidwell]

I'll throw in my 2 cents.

The reason you are getting an additional popup from your login page after you submit is because when using Web Security, all form requests are passed "through" the Web Security database. So, even though you are "logging in" to your Users.fp5 database, you must still prove that you are a valid Web Security user by entering your username and password in the following popup menu. Unfortunately, I don't believe there is a way around the popup login. On most solutions that I have developed the "welcome" screen is merely a cover for a hidden "-View" form submittion that then forces the user to "login" using the popup window. Hope that helps.

-Jeff

[Leb i Sol]

oh.....well that messes up my whole LOGIN system then ..LOL

I need to use Users.fp5 since my user -level-rights are defined in it as well as the UserID that is = Token which is later inserted into DBs as a record of ownership!

I guess I could tell my users "The second window pop up is for "security"..." LOL

anyway, thanx for the input