letting users create usernames & passwords

[datakeeper]

I've done FileMaker for many years but just now experimenting with custom web pages. I have a system that I want to offer over the web that asks a user to create their own login account before they enter. Any suggestions? Later when they log in, I don't want to allow them to enter unless they have a username and password. Those items will be passed as tokens to different web pages and effect what they see.

[Steve T.]

(sigh)

Hi, datakeeper! Security is relative, I suppose, but I guess it depends on how secure you need it. For a relatively easy but insecure system, I just used 2 fields (login/password) and used an EXACT MATCH (I think it was ==) to search for both fields... typing in only one or the other would generate a found count = 0 error while a successful FIND would bring the user to whatever web page you specify in your -format line. You can then control the content using [FMP-if: conditioncheck] statements.

For a more secure but much messier system, I used a shell of the Web Security Database's USERS_.fp5 db and shared that on the web. Users could then add themselves to this db and a script would transfer their information into the TRUE USERS_.fp5 db when they were approved and/or confirmed they were real people (sent randomized activation code to their e-mail addresses).

In order to prompt for FMP's login window, I had the user try to edit a useless record as the LOGIN. If they successfully logged in, they would go to the -format page and if they did not, they would be sent to an error page or try again page. The [FMP-if conditioncheck] statement can then be used to control information...

[FMP-if ClientUsername .neq.]loggedin user info[FMP-else]you'renotloggedin[/FMP-if]

The problem I had was that I could not get user-specific record protection due to URL-hacking. I could control the web pages, but I could not control what they typed in the URL so 1 logged in user could see/change another user's records. This does not necessarily mean it cannot be done... I just could not figure out how to do it and decided to switch technologies, anyway, so stopped trying. The system worked well enough but since this was going to be for a campus web-based posting system, I decided not to trust mischeivous college students who might decide it's the funniest thing to change someone else's post to say something completely different from what the original user intended.

Like I said, though, security is relative, so it's just a matter of weighing the risk versus the reward of having the system. If you are only VIEWING info then I think you'll have less problems than trying to control NEW records and EDITING... even then, though, that may not be too much of a big deal, eh? I still use both of the above (EXACT MATCH and USERS DB SHELL) depending upon the situation.

Good luck!

--ST

[Vaughan]

Are you using the Web Security databases? Users could add their own info. It's not the ideal security model, but it's probably better than many alternatives including carrying usernames and passwords around in clear text as tokens.

[jerji]

OK guys and girls be gentle - newb on the block :-)

I am BRAND new to Filemaker and have to work with FM Pro 5.0 unlimited (because that's what I have been given).

Following on from the thread above I would like to be able to sell subscriptions for some stuff on a database for a friend of mine (it really isn't me :-)).

I have been investigating PayPal as the payments mechanism and that seems fine. They can send me interactivly payment details and validate that it has happened.

What I need is a way to PROGRAMATICALLY get at the system (I am proficient with PERL and vaguely aware of PHP) so that when Paypal validates payment I can add a user and password to the database. When added I can send details back to the successful victim^h^h^h^h^h^h subscriber and let them access the system.

Where do I start? Code or script samples, or pointers to the best tutorials would be most appreciated.

Ian

Canberra, Australia

[Garry Claridge]

Your PayPal Form could look like this:

<form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">

	<input type="hidden" name="cmd" value="_xclick">

	<input type="hidden" name="business" value="[email protected]">

	<input type="hidden" name="return" value="http://www.mydomain.com.au/cgi/ccpaymentrecv.pl">

	<input type="hidden" name="image_url" value="http://www.mydomain.com.au/images/logofull.gif">

	<input type="hidden" name="item_name" value="Service Account">

Your "ccpaymentrecv.pl" script could then talk to FM. Or, you could have a "ccpaymentrecv.html" file which uses "onload=" in the <body> tag to access FM. Maybe a full CDML URL is acceptable in the Form!

Good Luck.

Garry

[jerji]

Thanks Gary,

I was more asking how (say in perl or php) would I assign the user/password attributes into the database since it is not a defined field (or is it better to use the web security database)?

I found a perl script that allows me to write to a defined field but I can't see how to add a password (which is more an attribute than a field).

I continue looking

Regards

Ian

[Garry Claridge]

The WebSecurity database is probably better for WebCompanion access. However, for this type of functionality I've used a "Members" database with "userid" and "password" fields. And, I have used the WebSecurity database for generic user restrictions.

All the best.

Garry

[jerji]

Thanks

I will let you know how I get on.

Ian