Logins, Cookies, and Tokens oh my

March 12, 200322 yr

I've now got my database set up in a CDML website. I wish to add the same type of security functionality that I see when my Filemaker DB is used with Instant Web publishing.

I have turned off instant web publishing and started the WebSecurity DBs.

Right now I have set up two types of users for this database.

One user has a password and complete access to editing, duplication, etc.

The other is set as All Users with access only to browsing.

The reason I state this I've come across refrence KB documents stating that -view, -findall, -findany will always prompt a login screen. This is just not the case with my above this situation.

Are their any examples of login pages with CDML setting up Cookies? How would I make a login page for user name and password, that would store this data as a Cookie and at the appropriate time (edit, delete, new) access the cookie. I'm a bit confused on [FMP-SetCookie] and [FMP-Cookie] and how it would be used in a HTML form.

Thanks for any help<BR>

March 13, 200322 yr

There are only three things I have learned cookies and FMP, and they are from these forums and the FMP TechInfo KnowledgeBase.

1.) Anatoli does not like cookies.

2.) the time must be no greater than 9999.

3.) CDML allows the setting of one (1) cookie

March 13, 200322 yr

Author

The statement is incorrect:

3.) CDML allows the setting of one (1) cookie

After looking on Filemaker's web site in the Knowledge Base area I've found that 1 cookie in CDML was indeed an issue in Filemaker 5.0, but 5.5 fix this issue.

I am using Developer 6 and Unlimited 6 for my server

Who is Anatoli anyway? Does he declare the Holy edict on this issue?

March 13, 200322 yr

While FM cookies where quite reliable in NN, they sometimes fail in IE.

I didn't have many problems with JS cookies in IE.

Now there are another issues with cookies:

1. people switch them off because of "spyware"

2. IE 6 is asking every server, which sends cookie for declared (XML) privacy policy. If that doesn't exist, no cookie is set.

HTH

March 13, 200322 yr

Basically:

have a Users.fp5 file with field Username and password

make a login.html page, static, containing only a redirect:

"FMPro?-db=D_Users.fp5&-error=error/DatabaseNotOpen.htm&-format=login2.html&-lay=cgi&-view"

In this page you have

[FMP-If: Currentcookie:username .eq. ]

Welcome. Enter Username and Password to login

//relevant form follows

[FMP-Else]

Welcome [FMP-Cookie:Username]

// a form with username= [FMP-Cookie:Username]

password= [FMP-Cookie:password]

follows

After users succesfully enter they end up in a login_ok.htm page in which you set the cookies:

[FMP-SetCookie: password =Field: Password, Expires= a number ]

[FMP-SetCookie:Username=Field: Username, Expires= a number ]

March 14, 200322 yr

Author

Thanks for your help. The database(s) I'm creating/modifing are being publish for the company intranet, so I do have some control over what broswers my end users will have.

I'm a little confused on on the form view would look or interact for that matter. I'm using WebSecurity. Would I have somthing like

<INPUT TYPE="hidden" NAME="-db" VALUE="Web Users_.fp5"> to refer to the database in the initail HTML/CDML form?

If true then my input fields would be like

<input type="text" name="Password" VALUE="[FMP-Cookie:password]" size="39">?

My databases are set up so that with no user name and password you can just browse the records. Whould I just create a button link that sets the cookie to "none"?

Thanks for all your help in advance

March 14, 200322 yr

The Web Security database is used by WebCompanion for http security. Hence, it will cause the Browser to pop-up a Javascript login box. Alternatively, you can construct a URL for login, which looks something like this:

http://myusername:mypassowrd@myadress:port/FMpro... etc

All the best.

Garry

March 16, 200322 yr

Username and password are fields of a Users.fp5 file

The login form looks like

</form>

HTH

March 16, 200322 yr

If you are using your own User database for Login (not the Web Security Database), then you can use Cookies or Tokens to maintain a Session. However, this does not prevent "-findall" access by "-raw" and "-xml_fmp".

All the best.

Garry

March 17, 200322 yr

If you are using your own User database for Login (not the Web Security Database), then you can use Cookies or Tokens to maintain a Session. However, this does not prevent "-findall" access by "-raw" and "-xml_fmp".

All the best.

Garry

Even the Web Security Database will not prevent usage of the above -raw requests.

IMHO only system with Web Security Database AND "exact search" will block I guess maybe 100% that syntax.

March 17, 200322 yr

The Web Security database is capable of stoping access by -raw etc. It will not, if you set "All Users" to browse.

Garry

March 17, 200322 yr

Author

Thanks everyone for your responses.

Pupiweb provided some helpful code but, where does the cookie play in? Doesn't it have to be set somehow?

I am using the Web Security database and like I mentioned before these databases are INTRANET only so I'm not that concerned with people browsing or searching. What I am concered about is modification, addition and deletion of records.

I would like users to login to the database (wether they are authorized or not) and not have to worry further down in their session about relogining in everytime they make a query. Again similar to the Instant web publishing method.

Basically I would like to have they same type of authentication experience of Instant Web publisher, but the control of web look, search result, and diveristy I can achieve in custom built solutions done in CDML. I'm surprised Filemaker doesn't include an example solution in either Developer or Unlimited packages.

Thanks again

March 17, 200322 yr

Sorry, I made a mistake in the posted code. This lines are the correct ones:

...

March 17, 200322 yr

Thanks everyone for your responses.
Pupiweb provided some helpful code but, where does the cookie play in? Doesn't it have to be set somehow?

Sorry I didn't want to make terrinly long posts; here is the complete login page code

</Table>

</td>

[FMP-If: Currentcookie:username .eq. ]

<H2>Wellcome ! <BR> Enter Username and Password</H2>

[FMP-Else]

<H2>Wellcome <U>[FMP-Cookie:Networkname]</U><br>

Click on the Enter button to enter <br><br>

Enter Username and Password if you want to re-login with different data

</H2>

[/FMP-If]

[FMP-If: Currentcookie:username .neq. ]

</form>

[/FMP-IF]

</td>

<H2>Login</H2>

<b>Username</b>

<br>

<b>Password</b>

<br>

</form>

</td>

</tr>

</table>

March 18, 200322 yr

Well, that explains why any solution I have built where multiple simultaneous cookies have been used have failed on FMP5.

If they fixed the simultaneous cookies issue, why didn't FileMaker also pull their finger out and fix the bug where you cannot use Cookies in InlineActions...

March 18, 200322 yr

Author

Thanks so much for all the responses especially Pupiweb! Your awesome!

iSolve are you refering to unAble's quote about multiple cookies and then my response? Thread makes it look confusing

March 19, 200322 yr

The Web Security database is capable of stoping access by -raw etc. It will not, if you set "All Users" to browse.

Garry

OK, but how to let all people to browse and have full security?

March 27, 200322 yr

I think Anatoli's question is a very good one. I was hoping to see a knowledgeable response from someone. I don't have one.

Is there some way to have a default.htm which does a META Refresh which could perform a login to the Web Security db with a preset name/password and then go to a specified db and the actual home page?

Such an entry would enhance the developer's ability to present a clean opening, utilize fully the Web Security feature and allow the developer to use their own user protocal within the FM db's, while not requiring multiple logins by the client.

If not with a META, how about with JavaScript?

Anyone with any experience, ideas?

March 27, 200322 yr

You can construct a URL like this:

http://username:password@address:port/FMPro.....

It will login the browser.

Good Luck.

Garry

p.s. The way to have "All Users" browse and not be worried by "-raw" and -fmp_xml" is by using Field restrictions. However, this does not prevent the user from seeing all records.

March 28, 200322 yr

Why thank you Garry. I will check that out.

April 3, 200322 yr

Author

I don't seem to be able to get this to work with the Web Securtiy database. The Web Security database is directory level above the database I'm trying to set a login cookie page from:

Here is the breakdown

Web

Web/Security <--- Securtiy database located here

Web/CDML Examples/GraphicProject <--- Database and HTML pages here

Does this even matter?

On my deault load page I have a link to page that sets up the cookie that looks sorta like this

localhost:591/CDML%20Examples/GraphicProject/FMPro?-db=Web Users_.fp5&-lay=Main&-format=start.htm&-view

However it doesn't work. The html page never loads, but gives a prompt to log in. When I do I get "You do not have enough access privialges; action:view"

What have I got worng?

April 4, 200322 yr

RE: The Web Security database is directory level above the database I'm trying to set a login cookie page from:

That is wrong assumption. Databases are all the same regardless of folder where they sit. It has nothing to do with web directories level. To Web Companion all databases are "flat" level.

The directories exist only in HTML web serving.