Web Security

[Lee J]

I'm using the web security DB which is working fine but would like to know how I get the users to logout. I have a logout option on my webpage but if they use the back optionin the browser they can get back in.

Q How do I log them out so they have to log back in again?

[Anatoli]

That will be not easy. You will need to design another database for that task.

BTW why do you need that?

[Garry Claridge]

As far as I know the 'login' with the Web-Security Database allows access throughout that http session.

The only way would be to 'kill' that session. If you are using FMP in conjuction with ASP, or something similar, that would not be difficult. However, if you are using FMP to singuarly serve the http session another approach may be neccessary.

This is worth further investigation because it is an important security issue. Sorry I don't have an exact answer, I am also interested in a solution.

All the best.

Garry Claridge

[Anatoli]

Point to consider:

To "kill session" -- at the homebanking or credit card access the banks are not doing that. It will be pain to log in again and again and again.

[Garry Claridge]

Banks in Australia make you logout. They have reminders in significant places on their pages. I agree it can be annoying.

Garry

[ April 16, 2001: Message edited by: garrycl ]

[Anatoli]

Yes, but what I had in mind was auto-log off after some period of time, during session.

[ April 17, 2001: Message edited by: Anatoli ]

[Keith M. Davie]

Garry,

FWIW the page you are reading has your name (top left) and "[log out]". Do you log out from here? I don't think I ever have done so. I just figured it was not really necessary. Same as the "Reset" or "Clear" options that are offered on form submission pages. Once I've submitted a form, the data has been sent; I don't click back and clear or reset that page. It does not matter to me because the data has been sent and that page with my answers is on my machine only. If you were to get that same form page, you would get it empty. So what's the difference? It just doesn't matter to the client. And when I enter FM Forums, they have set a cookie in my machine so that I do not have to physically log in. So what's the difference if I enter from the front or having gone to another site, use the back button or (in the case of NN) the "Go" option? That cookie let's the host know it is me.

I guess I just don't get the gravity of your situation.

SIMPLIFY ...

Keith

[Garry Claridge]

I think that log-out is more for "completeness". I don't know a great deal about Internet security and particularly session security. I know that if you are using a shared computer (e.g. general-office or Internet cafe) this would be a concern especially if you do not quit the browser program.

Depends on the application and situation, I guess.

Garry

[Keith M. Davie]

Yes, but if the machine is shared and user A uses it to visit login.com and does log-out, but does not quit the browser, and then user B uses the machine, can't user B just go to (in the case of Netscape) "Go" and click the address for login.com which is stored and enter again using the same cookie which was used by A and is also stored on that machine? If so, how do you resolve that issue since A did log-out?

SIMPLIFY ...

Keith

[Garry Claridge]

By not using cookies. I guess developers need to consider the use of cookies for auto-logins, particularly if computers are shared.

I suppose the developer needs to know who the user base is and how sensitive the information is.

I'm currently working on a Childrens Modelling Agency site which has various access for different type of users. Because one of the kids maybe showing one of their friends their details, on perhaps on a school computer, we will not be able to use cookies and have to be aware of other security issues.

I know this is not a common problem, however it does have some significance (occasionaly).

All the best.

Garry

[Lee J]

Talk about a storm in tea cup, glad my question has raised some interesting points.

I guess the theory behind the Logging Out of a session is more for a controlled environment. In a public place (i.e Kiosks) you would not want the next person to be able to click the back button and see what has happened before.

I'm re-looking into this option and as a couple of you have mentioned "Login, Logout, login Logout" could be a pain.

[Keith M. Davie]

Yes, it has been a good discussion. Thanks for asking your question.

SIMPLIFY ...

Keith

[Vaughan]

On the web, there is no "session" as we would probably like to imagine: things happen on an event-by-event basis as far as the web server is concerned. If stuff needs to be remembered between a user's event then it's up to the developer to use tokens or cookies (or some other method) in the browser to do it.

Most modern browsers remember the authenticated usernames and passwords for the whole time the browser program is running. This is a browser thing, not a FMP or Web Companion thing, so there is little we developers can do about it, except to remind users to quit/exit the browser when they have finished. The authentication is only "forgotten" when the browser is quit, and even then some versions of MSIE remembers the password permanently!

[Krishan]

I use a simple login system where the Users.fp5 database has the field "Signed", which can either have the value "In" or "Out".

That value is "Out" by default. After the user has entered his username and password and they both match on the Users.fp5 database, he is then taken to another web page to continue signing in.

The link to continue signing in basically edits the "Signed" field to "In". And on each web page I use a [FMP-If] tag. If the field equals "In" then it shows the usual html. If the field equals "Out" then it shows the re-login html.

And when the user signs "Out" he just re-edits the field.

I hope to finalise my applescripts which will automatically make that field to equal "Out" four hours after a user has signed "In". I plan on using this as a way of timing out users and ensuring that all Users are logged out even if they do not click the "sign out" button.

If you look at the other topic, "Exactly How Secure?", Proton is using a cookie method to sign users out.

[ May 23, 2001: Message edited by: Krishan ]

[proton]

quote:

---

Originally posted by byteworks:

Talk about a storm in tea cup, glad my question has raised some interesting points.

I guess the theory behind the Logging Out of a session is more for a controlled environment. In a public place (i.e Kiosks) you would not want the next person to be able to click the back button and see what has happened before.

I'm re-looking into this option and as a couple of you have mentioned "Login, Logout, login Logout" could be a pain.

---

On a Filemaker note, there is no "Logout" until the user closes the browser. That "kills" the session. The logging out is actually a browser function, not a Filemaker function. The browser holds the login data. That's why in the requested features forum I posted a Logout function as a feature I would like in the next version of filemaker. By that I mean a logout function that would cause the browser to cut the connection and erase the login data, thereby really logging you out, without having to close the browser.

[DrugBust]

I'm having the same problem with logging out on my database using the Web Security DB. People all accross the school district are going to be using this, but I can't have access to the database left open on all the the public computers. If there is any "logout" option i'd love to know about it

[scratchmalogicalwax]

I have just tried it myself and it seems to work.......

You could have a second database which has one username and password which is different to that of the first "main" database.

When a user clicks logout they actually search on the second database for a field value of logout or anything you like. (you only need one field and one record in the database with the value logout or anything you like.)

The browser should then show another username and password dialog whereby the user enters the different username and password thus changing the session information stored in the browser memory. ( hopefully.....I havent tested on all browsers as long as the browser prompts for an update and doesn't return an invalid username error you should be OK )

Try it......it might work.

[Garry Claridge]

I use a system similar to Krishan in that I have a 'Users' table, in addition I have a 'Logging' table which records each session. On 'logout' a time and date for logout is entered into the 'Logging' table and the user is returned to the login screen.

Note that all pages are contained within frames and that all are format files. Hence, the format files cannot be called directly.

Hope this helps.

Garry

[Vaughan]

Tis logout is not a FMP function, it's a browser thing. Unless the browsers have a handle that FMP can perate to kill the session, nothing can be done. Of course, if there was such a handle, it'd be mis-used by people so much that we'd all turn the feature off.

One way -- that I haven't tried implementing at all -- would be to incorporate a randomly generated code at first entry, that changes every hour or so, forcing people to log-in again. Now, I could see this being *really* annoying from a user perspective after a short time -- like having a password-protected screensaver on your computer kick-in after a minute of inactivity.

Most "log-out" features on web sites like this forum are just cookie-deleting links, setting their expire parameter to 0 or -1.