Jump to content

help creating custom login system


This topic is 7351 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Hello,

Hello, i was wondering if someone can give me a hand with this. we have 28 databases right now and i was not here when they were build, i want to build a custom login system for the employees. I have check some solutions like the gateway but i am new to fm that i dont know where to begin when it come to that that solutions.

Here is what i want to do. i want to create a solution where i can give each person their login/password to access the databases. The deal is that once they are login, i want the databases that correspond with their L/P to open automatically. I have the divide the everyone into groups: Operation, Adminission, Managers. Some people need access to some database to edit/create record, other just need to browser for record and print them out. i want to create administrator interface where i can add new users and enable their privilage. right now, we are using general password the groups.

any help would be appreciate,

Thanks,

victor

Link to comment
Share on other sites

Hi Victor. I'm right in the middle of something now- just saw your post. Rather than explaining in detail here, I can send you an example of how I do a login system with our databases. It works very well.

It involves creating a master login, one record file with a few globals; and another one, or perhaps two user files, depending on how you prefer to set it up. Then the privileges for each specific database are set in the user file. Creating a relationship from the master login to the user file (master::USERPASSWORD = user::USERPASSWORD) then enables user access privileges for each user.

Let me know if you are interested, and I can send them to you fully open and you can check the scripting of the system.

Manny Silva

Child and Family Services

New Bedford, MA

[email protected]

Link to comment
Share on other sites

  • 2 months later...
  • Newbies

I too have a similar problem. I work for a school and we have a series for databases that link together. I would like to create a user interface that asks for username & password and then allows them into the approriate area and give them the access writes they need. At the moment we use the built in password facility which is ok but I don't know which password belongs to which user plus if I need to change it I have to go through all the files making the same changes.

Hope someone can help.

Cheers

Keith Bolton

[email protected]

Link to comment
Share on other sites

This is a super-simple database login system I created that opens files based on a username. The password for full access is "Admin" - the file called Login Database is a custom login that asks users for a username and password, which it references against the file called Access. Each user has their own record in Access, containing the username, password, and which files should be opened. The same script in Login Database that validates the login also opens the specified databases. You can define reading/writing/printing permissions by having users enter a base password when opening Login Database, and define the same basic passwords throughout all the files and give the different groups appropriate access. This is just a basic shell but it can easily be applied to your databases. I didn't want to add in extra stuff that you would just have to take out when applying it to your databases.

FM.zip

Link to comment
Share on other sites

  • 2 weeks later...

At

ISO FileMaker World (check it!)

you find a nice login system called " [color:"red"]The Gateway ". The description says:

Here is an incredible implementation of a login routine, allowing personalized access to a solution, user-specific privileges and preferences, system preferences, administrator settings and privileges, hierarchical access to the data, and even an activity log. You can open this one up and see how efficiently it has been made, then incorporate it into your own solution!

The Gateway MAC

The Gateway WIN

Link to comment
Share on other sites

Yeah, but there are programs floating around out there for about $40 that will give you the native FM password in a matter of moments. So I'm not sure a custom system is really that much worse than the native system. I think if I really needed security -- like running a reactor or an air traffic control system -- I'd choose something other than FM.

my two cents

Link to comment
Share on other sites

Yes, as OAM pointed, and with many respect to Giuseppe's work, this kind of solution wouldn't be suitable as a Login routine.

I'm not a hacker, but with even less than 30 seconds, you'd be able to screw up the whole file, and even delete the admin/admin password.

I'm not that sure Giuseppe's demo was designed to demonstrate a login routine anyway.

My 2 cents.

Link to comment
Share on other sites

I've heard that argument before, and I am not buying into it. There are steps that can be taken to protect files, although these cracker programs can do a lot of damage in terms of extracting passwords. Several have been made to go away, and I hope that trend continues.

Link to comment
Share on other sites

  • 4 weeks later...

what i really needs is to be able to tell which operator took a message and whick opr delivered the message. i have only two computers peer to peer. messages are taken and delivered on each machine. sometime station 1 takes the message and station 2 delivers the message, i just need someone to identify who took the message and who delivered the message, thanks jim

Link to comment
Share on other sites

Steve

what suggestions do you have then? You are preaching not to do it, but aren't offering any solutions / files in return. I need a login system where the admin can create users and passwords and the users can only see their own records or records that the admin deems okay for everyone. I don't want to use the built in privelages because of the annoying "no access" tags...

what then do you suggest other than "dont use that"...

Link to comment
Share on other sites

The Moyer and Bowers book "Filemaker Pro 5.5, techniques for developers" discusses the pitfalls of custom login systems, and then goes on to describe a system which avoids them. That's not to say that no one has discovered other weaknesses though.

Brian Kennedy posted a sample solution framework using their technique. Here is the link:

http://www.fmforums.com/threads/showflat.php/Cat/0/Number/74935/page/4/view/collapsed/sb/5/o/all/fpart/1

As I recall, the method uses a paused script for user ID and password entry. If you are using Filemaker 6, I suggest you replace this with a custom dialog.

Link to comment
Share on other sites

Ever look to see what a "Halt Script" does to looping pause? THe suggestion about custom dialog is an excellent one. But be sure to assure that the solution can't be opened in an earlier version.

The <no access> tags can be easily dismissed by the use of a Go To Related Record as I explained recently on FM Experts.

I am trying to alert you all to dangers in the methods used in these log-on systems so that you don't wind up having to explain to your bosses or clients how your technique resulted in the fairly easy extraction or compromise of your data or files.

The closer you stay to the built-in FMP system, the better off you are.

yafreax asked:

"what then do you suggest other than "dont use that"... "

Use the built-in system. The fact that you or anyone else wants to do something else or wants a different functionality isn't material here. What is material is that if you use such a log-on system, you almost always degrade your security.

I have already had to provide expert witness testimony is 2 cases involving loss of data and property in systems such as this and the attendant negligence and liability issues. I hope not to have to do that anymore anytime soon or at all.

Steven

Link to comment
Share on other sites

Ever look to see what a "Halt Script" does to looping pause?

Yes, I have. That's why I suggested the custom dialog. However, even with a pause loop it's not necessarily impossible to make a secure login. You just have to make sure that if the user manages to cancel the login script, it's cancelled in such a way that he isn't logged in yet, and cannot get beyond the login layout and the login file.

BTW, I'm not trying to encourage people to use custom logins. But if someone asks, I'll give them whatever information I can.

I'm less concerned with the weaknesses of the login procedure than with other back doors into the files. You can spend a lot of time making the login script secure, and then completely overlook some simple thing in the rest of the solution that will let a hacker in with no effort. So, if you're doing a custom login, it's important to design the whole system from the ground up with security in mind. You can't just take an existing db solution, tack a login script on the front and expect it to be secure.

Link to comment
Share on other sites

" less concerned with the weaknesses of the login procedure than with other back doors into the files. You can spend a lot of time making the login script secure, and then completely overlook some simple thing in the rest of the solution that will let a hacker in with no effort."

Exactly. And if a developer believes that the custom log-on provides security, and then that belief proves false--then these other vulnerabilities become even more exploitable.

"You just have to make sure that if the user manages to cancel the login script, it's cancelled in such a way that he isn't logged in yet, and cannot get beyond the login layout and the login file"

However by entering a known false log-in, you can frequently force open the "users" file, and then you cancel the script. Now you have an open "users" file that is in almost every case I have seen easy to exploit.

Steven

Link to comment
Share on other sites

  • 2 weeks later...

Wanna bet?

Actually, I should ask if you've tried them all. I wrote a password hack program about a year ago as a result of a discussion in this forum, in order to demonstrate how insecure Filemaker's built-in passwords are. I haven't found any special characters that would prevent the password from being found. But, it's possible that some of these hack programs do not have the complete encryption algorithm figured out, and so may fail with certain characters.

Link to comment
Share on other sites

Jim,

The databases open with a default low-access password for normal users. When you opening the databases to do work on them, hold down the Shift key. It will ask you for a password. ("Admin") Then you can show the Status Area, switch layouts, and create records that define access for your users.

Link to comment
Share on other sites

Admin is only the password to gain full access to the file - it will not work in the login system itself. Once you have full access to Access.fp5, run the script that says Show Status Area, then switch layouts. You will be able to see the logins I created.

Link to comment
Share on other sites

All of this discussion about creating custom logins is obsolete: FMP 7 has it all built-in and facilitates building secure interfaces to manage it all.

YEAH!

Link to comment
Share on other sites

Hi Greg

Sorry, I don't do password recovery because I have no way to verify who is the legitimate owner of a database. I've done a couple of demonstrations on some empty files that a couple of people have sent me, but that was the extent of it.

Link to comment
Share on other sites

No need to wait till server, it's all functional in plain old FM Pro 7. Even the Trial version.

I've put something together already... when I get time I'll strip it out and get a demo happening. I'd welcome the security experts here like OAM, Bob and Ray (amongst others) to evaluate it.

We can all learn from this together, learning FMP 7 is such a big job.

I'll post it in the samples forum when it's done. Probably later today my time.

Link to comment
Share on other sites

Yeah. It looks like I have to upgrade to OSX now so I can play with the new toys.

It looks to me that hosted files should now be very secure. However, files to which the user has direct access may still be susceptible to attack with many of the old methods (except that it won't be possible to retrieve passwords since only the pw hash is stored). And FM7's method of converting older files compromises their security, but it seems that FMI isn't interested in security for fp3 and fp5 files any more.

Link to comment
Share on other sites

I think some of the benefits of downloading these solutions and even creating them and posting them up here, include demonstrating some of the inherent weaknesses of any solution.

Really I would suggest people don't download a solution because it's not secure, it may just just perfect for the sort of application they're using.

I was not surprised that Bob Weaver hacked into my login demo in a matter of minutes, but I was gobsmacked that the file was accessible after being "Permanently locked" by the developer package... In fact it's made me re-assess my approach to security within solutions, and for that i am grateful.

The level of security that a person requires in their solution is entirely their own baily-wick. The Gateway package talked about here is definately not secure, but that doesn't mean that its completely useless. I think the approach used in its development was good, and if anything it's a great learning tool in filemaker development.

Just my opinion. smile.gif

ps: I know encrypt my sensitive data with 128bit RC6 encryption smile.gif

Q

Link to comment
Share on other sites

This topic is 7351 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.