Hi guys,

So I discovered today that by typing in the root domain name, I have full access to the databases hosted on that computer, including edit, WITHOUT a password!! We allow users to enter a new record, and edit their records by entering their username and password. But this Web Portal allowed free rein. What do I do to fix this?? THANK YOU FOR YOUR HELP. I will breathe much easier when this is fixed.

Sarah->

Welcome to the forums!

A web browser will remember the username and password until it is exited. So if someone returns to the computer, goes to the IWP home page, and clicks a file, they will be automatically logged in using the previous user's username and password.

Bottom line: get users to quit the web browser when done using FileMaker and especially make sure the Admin quits.

Did I answer the right question?

Perhaps but I had access to all of the databases, each of which is accessed with a different username and password. It opened up a page with all of the different databases listed. I can open it with a totally different browser and still have the ability to edit, delete, etc.

Sarah->

When you say it opened a page with all the dbs listed, do you mean you saw FileMaker's IWP page or did you see a directory listing? if you saw a directory listing, you'll have to tell the web server not to allow that for the FileMaker directory hierarchy. Does the server have file sharing enabled?

Have you installed all the updates for your version of FileMaker? Do all the files have their accounts/password/privileges properly set?

Which FileMaker product(s) are running on the server and what OS is it?

Hi there,

I saw Filemaker's Instant Web Portal page with all the databases listed on it. I'm running Filemaker Pro 5 on Windows XP. I've got passwords set on a couple of them but that didn't seem to matter b/c it's a password to allow you to open the file. I'm not sure how these groups/passwords work. Users will still need to search the database without a password and edit their own listing upon entering their own password.

I figured it out! You just have to specify a home page inside the web companion besides the default one. Whew. Thanks again for your help.

Hi Sarah, I have a related to your topic. How did you configure the Web access to allow users to search the database without a password and then edit their own listing upon entering their own password? Is it possible to only allow each user to see and edit his/her own record?

Thanks,

David

Hi David,

I am not a security guru by any stretch of the imagination. I'm allowing access just through the web - They go to a page I created, enter their username and password that are fields in the database and it opens up their record.