Logging-in to User records securely with password.

[gaz]

I've seen this question asked many times on sites, but none seem to give a definitive answer.

I have a database of users, each user has 1 record page containing fields of personal information that relates to them, and them alone.

Via a web page and CDML, I want a user to enter a Username and Password that retrieves only the record page that applies to that user, and if they want to edit this information they should also be able to do this as well via a web page.

The solution I initially had was a basic CDML search containing 2 fields and this works to a point. However if you type '*' it then finds information for all Users.

Is there a way I can submit User and Password values to global fields, that once submitted, invokes a script on the server. This script would use the values in these global fields to search the real (hidden) username and password fields within the database, and return the results to the HTML result page, these Global fields would then be deleted.

My theory is that I can force a search for an exact username and password match from the script and hopefully eliminate the possibility of wildcard search. eg a search for all users beginning with 'L' wouldn't work.

To fully achieve this, I think I need to hide the Username and Password 'Field names' to anyone who views the HTML source of the submission page. So it would only show the names of the global fields.

Preferably, I'd like a filemaker / CDML solution, but could I involve a PHP script in the equation if Filemaker can't do this alone ?

Any help would be appreciated.

thanks

Gaz.

[Garry Claridge]

You can use the Web Security database with "Field Exact Match" criteria. The User would then need to match a password/code in the nominated field before they could see the record.

Filemaker published a "how-to" on this in their "Web Security" document. Copies may be available around the place.

Good Luck.

Garry

[Steve T.]

Howdy! IMO, one of FM's weaknesses is record-specific security on the web. I could not figure out how to do this with just FM/CDML so ended up using PHP/MySQL for that particular project. You can probably get around the wildcard issue easy enough by using EXACT SEARCH and ==, but people familiar with FileMaker and CDML can probably access any info unless you use PHP or JavaScript anyway, so it depends on how secure it needs to be. You can use FM/CDML and typical users will not be able to bypass your security but a tech-savy user might figure out how to thwart your system.

As for globals, it's been a while, but I think I've used them in my web solutions before even though there are issues, e.g. you must enter values for globals at the server and not as a client... I think web users enter global data as the user FM runs as. You can also use tokens and cookies in your security, too.

If you use GET in your web form instead of POST, your fields will be visible in the URL. Scripts over the web are generally not recommended because of single-threadedness and the tendency for near-simultaneous requests to have just 1 execute while the others are dropped without notice (lots of posts about this, esp. by Keith_Davie).

There are some good posts on FM security in general, too. I remember one by BobWeaver (and cjaeger?) that was really informative and got down to the nitty gritty of "try to open my file" kinda testing.

--ST

[gaz]

Thanks Gary,

I don't know why I missed that security feature. It would help as part of the solution, I actually have a solution now that was posted on this forum before that seems to provide the basics, but I need to get my head around how it works before I can use it on my project.

Thanks

[gaz]

Thanks for your help, I agree that I get the impression that FM isn't the most secure, probably because so much of the information about Fields and Database names are quite clearly shown in the HTML. Now that Filemaker 7 isn't supporting CDML, and more recent versions only allow 10 IP hits per 12 hours, I've decided to eventually learn PHP and MySQL and transfer my project to that, but Filemaker 6 is a good tool for getting a basic web solution up and running.

I've actually downloaded something from this forum that seems to work, I'm not sure which thread it was from, but I'll repost the file here because it could be useful to anyone wanting to do a similar thing.

Thanks for your help.

Gaz.

login.zip