Jump to content

Creating a "new" web security database

proton

By proton
in Other Internet Technologies

 Share

This topic is 9114 days old. Please don't post here. Open a new topic instead.

Recommended Posts

proton Collaborator

proton

Posted
Posted

This is a really advanced question. I hope that somebody can help me with this one.

I'm designing a database driven website. It has a couple of databases. One

of the databases is a member database. Here a user can

"sign up" - create a record with his username, password, and other

information. Now what I want to do is when he comes on the site, it asks him

to "log in" using his username and password...and it verifies that the

information he types is correct (exists in the member database) and

consequently gives him access to the entire site - the various other

databases and so on. In other words, something like the Web Security

Database, except I can't use the web security database for this application.

I really need some help with this one. Hope you all can help me out.

Thanks a lot.

proton Collaborator

proton

Posted
  • Author
Posted

quote:
Originally posted by Keith M. Davie:

Search and read: Article Number: 104829, and Article Number: 105687

Peace

Keith M. Davie

Thanks for the info. The articles were helpful, but I don't think they answered the question. In that they dealt with searching for the username and password in order to determine if they exist in the members database. I already know how to do that, but the trick is once they have been verified. How do you use it to log on to the other databases and the rest of the site? And note, like with the web security database, I only want them to enter it once and it is valid regardless of which database they are accessing. And the web security database does this without you having to enter these passwords in the password dialog box in each database. Does this info clarify it a bit? Really really need help with this one..smiles.

jwtidwell Explorer

jwtidwell

Posted
Posted

Just to throw in my two cents. All the TILs and documentation I've read suggest that you shouldn't circumvent the Web Security database for what you are suggesting. Is there an issue with using these databases? Maybe you could utilize your current Member Database and simply write some scripts that might duplicate your member information into the Web Security Users Database for creating and updating access information. Then you are using a proven system and not having to publish direct access to your protected database. Maybe a little more info on your problem and situation may help.

Cheers. Jeff

proton Collaborator

proton

Posted
  • Author
Posted

quote:
Originally posted by jwtidwell:

Just to throw in my two cents. All the TILs and documentation I've read suggest that you shouldn't circumvent the Web Security database for what you are suggesting. Is there an issue with using these databases? Maybe you could utilize your current Member Database and simply write some scripts that might duplicate your member information into the Web Security Users Database for creating and updating access information. Then you are using a proven system and not having to publish direct access to your protected database. Maybe a little more info on your problem and situation may help.

Cheers. Jeff

Jeff, yes I know that it is better to use the existing web security database. But the thing is, when I was first designing the database I implemented use of the web security database, and I modified it (didn't even have to use scripts!!) so that when a user signed up in the member database it automatically created a record in the Web Users database with password and everything. But here's the trick, I am publishing this database on the internet, not on a local network. The ASP I'm going with, they are putting it on a shared server (a dedicated server just for me is a bit too expensive *s*). Now it's known that each copy of Filemaker can only use on Web Security/Web User/Web Fields database, so I'll be sharing that with other people's databases. This means that I seriously doubt they will use my "modified" copy of the Web Users database. Now they suggest that I use Lasso. I was planning to go lasso in the near future, but the trick is that I am working on a timetable. I have to get this up soon. If I have to re-program all my pages in Lasso..too long. So I'm looking for an alternative whereby I can just use my member database as the web security database. Hope this clears it up.

Keith M. Davie Mentor

Keith M. Davie

Posted
Posted

Are you using a Unique Identifier (neither name nor password)? When verification is established, if one has a U.I. available, using that can be the answer you need. Also if U.I.'s are assigned by task/security level, it may be possible to direct to a particular format file if U.I. is within a range.

Peace

Keith M. Davie

  • Newbies
Finn Rookie

Finn

Posted
  • Newbies
Posted

I think I know what you are looking for. 1) The user executes a basic -find for their own database record, meaning their name and password. If found, it returns a format file with a link to the appropriate DB. If foundcount=0, they get passed to an error page. But beyond this you want a real user name and password dialog to come up.

Here's a possible solution: You pre-setup a couple of passwords in a passwords DB, with various previleges (i.e. superuser, adminuser, joepublic, etc.). The "joepublic" password could be spelled out in the text of the "Welcome to my site" HTML. Superusers and such need to get them from you directly. Then the format page returned after their user name -find, contains a series of [FMP-if] statements. For example:

[FMP-if:clientpassword.eq.superuser]

<form action="FMPro" method="POST" name="myForm">

<input type="hidden" name="-db" value="myDataBase.fp3">

<input type="hidden" name="-lay" value="myLayout">

<input type="hidden" name="-format" value="mySuperuserPage.htm">

<input type="hidden" name="-error" value="myErrorPage.htm">

<input type="hidden" name="-view" value="">

</form>

[/FMP-if]

<br>

[FMP-if:clientpassword.eq.joePublic]

<form action="FMPro" method="POST" name="myForm">

<input type="hidden" name="-db" value="myDataBase.fp3">

<input type="hidden" name="-lay" value="myLayout">

<input type="hidden" name="-format" value="myJoePublicPage.htm">

<input type="hidden" name="-error" value="myErrorPage.htm">

<input type="hidden" name="-view" value="">

</form>

[/FMP-if]

proton Collaborator

proton

Posted
  • Author
Posted

quote:
Originally posted by Keith M. Davie:

Are you using a Unique Identifier (neither name nor password)? When verification is established, if one has a U.I. available, using that can be the answer you need. Also if U.I.'s are assigned by task/security level, it may be possible to direct to a particular format file if U.I. is within a range.

Peace

Keith M. Davie

Thanks all for your input..Keith, when you say Unique Identifier, what exactly do you mean? Could you explain in more detail what you mean? I'm confused smile.gif

Thanks again though. Looking out for your answer.

proton Collaborator

proton

Posted
  • Author
Posted

quote:
Originally posted by Finn:

I think I know what you are looking for. 1) The user executes a basic -find for their own database record, meaning their name and password. If found, it returns a format file with a link to the appropriate DB. If foundcount=0, they get passed to an error page. But beyond this you want a real user name and password dialog to come up.

Here's a possible solution: You pre-setup a couple of passwords in a passwords DB, with various previleges (i.e. superuser, adminuser, joepublic, etc.). The "joepublic" password could be spelled out in the text of the "Welcome to my site" HTML. Superusers and such need to get them from you directly. Then the format page returned after their user name -find, contains a series of [FMP-if] statements. For example:

[FMP-if:clientpassword.eq.superuser]

<form action="FMPro" method="POST" name="myForm">

<input type="hidden" name="-db" value="myDataBase.fp3">

<input type="hidden" name="-lay" value="myLayout">

<input type="hidden" name="-format" value="mySuperuserPage.htm">

<input type="hidden" name="-error" value="myErrorPage.htm">

<input type="hidden" name="-view" value="">

</form>

[/FMP-if]

<br>

[FMP-if:clientpassword.eq.joePublic]

<form action="FMPro" method="POST" name="myForm">

<input type="hidden" name="-db" value="myDataBase.fp3">

<input type="hidden" name="-lay" value="myLayout">

<input type="hidden" name="-format" value="myJoePublicPage.htm">

<input type="hidden" name="-error" value="myErrorPage.htm">

<input type="hidden" name="-view" value="">

</form>

[/FMP-if]

Finn,

Thanks for you input, but I don't want the real username and password dialog box to pop up at all *s*. I don't want to have to post a database password on the site. I want a database password to be used to get into the databases, but I don't want the users to know it. They must enter their username and password, and that must be used to 'port' the database password and log in to the database. Understand? It's tricky I know. Actually, I've been fooling around and may kinda have a solution. Not certain yet though. I'll let ya'll know. Thanks again. Long live filemaker forum...hahahaha

  • 4 weeks later...
Anatoli Grand Master

Anatoli

Posted
Posted

quote:
Originally posted by proton:

Finn,

Thanks for you input, but I don't want the real username and password dialog box to pop up at all *s*. I don't want to have to post a database password on the site. I want a database password to be used to get into the databases, but I don't want the users to know it. They must enter their username and password, and that must be used to 'port' the database password and log in to the database. Understand? It's tricky I know. Actually, I've been fooling around and may kinda have a solution. Not certain yet though. I'll let ya'll know. Thanks again. Long live filemaker forum...hahahaha

In my FM discussion forum if user is logged correctly with his/her password and nickname, he/she can continue to all pages and consequently all databases.

No log no link further, only error page. Have you some objections to this?

Anatoli

proton Collaborator

proton

Posted
  • Author
Posted

quote:
Originally posted by Anatoli:

In my FM discussion forum if user is logged correctly with his/her password and nickname, he/she can continue to all pages and consequently all databases.

No log no link further, only error page. Have you some objections to this?

Anatoli

No, no objections to that. I kinda found a solution. It's not exactly what I had in mind, but it works. When the user logs in, it searches the members database and confirms their username and password. If they are valid it logs them into one of the databases using the database password. With enough know how they can get the database password, but it's limited anyways so that's no problem. It has the appropriate securities set. After that, they don't have to log in to any other, and it doesn't bring up the log in dialog box. Thanks all for your input. Check ya laters.

Anatoli Grand Master

Anatoli

Posted
Posted

In fact, I am using multi-level passwords via WebSecurity. Through user database, any user can log in my discussion forum or news. User sets up this security.

If someone has the rights, to do the edits, Database Log dialog called from WebSecurity db is shown. Only few users, flagged by their status in db (I am using in HTML Tokens to carry those, cookies where unreliable in MSIE) are set to go so far.

dspires Collaborator

dspires

Posted
Posted

Is your objective to restrict viewing of records or to control editing of records?

I set up a database that allows everybody to see the records, but each record has a user and password (changeable by user) assigned to it, without which modifications can't be made. The user/password information is maintained (but not viewable) in each record and doesn't use the web security database.

proton Collaborator

proton

Posted
  • Author
Posted

quote:
Originally posted by dspires:

Is your objective to restrict viewing of records or to control editing of records?

I set up a database that allows everybody to see the records, but each record has a user and password (changeable by user) assigned to it, without which modifications can't be made. The user/password information is maintained (but not viewable) in each record and doesn't use the web security database.

The trick is to restrict viewing and control editing as well. But it's not really about that. It's about 'logging' the user in without the web security database. A workaround for Web Security. Thanks for the input though.

This topic is 9114 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept