Is it possible to edit a record without using a hidden form field to specify which record should be edited?

I can't use hidden form fields because someone could save and edit the source and edit a different record. And I can't use a restricted custom access privilege set to prevent that, because I can't use Filemaker internal authentication (because I am not allowed to email passwords), and can't use Filemaker external authentication (because at Stanford it's not possible to use ldap groups). Instead I need to use Stanford's webauth system for the initial authentication, and need to have a secure way of controlling which record someone is allowed to see and edit.

I explored using cookies or sessions for this, and those methods seem to work fine in principle, but I haven't been able to figure out how to use them to solve my problem, i.e. specifying which record to edit without that number showing up in the "source".

The way I'm currently retrieving the information from the cookie is the two-step process from the documentation (first use fmxslt:get_cookie to put it into a variable $pref_cookie, then get the information out of $pref_cookie/fmc:cookies/fmc:cookie) and I don't know whether it's possible to get that into the xslt-cwp-query params somehow?

I think in your case you have to provide record security at the database side, not the web side. You have to create a privilege set that allows editing (i.e. unlocking) of records based on a calculation (e.g. if user id submitted equals user id attributed internally to the record, allow editing. This might even be expanded with some private/public key scheme). Check within FM: Menu File > Define > Define Accounts & Privileges, Tab Privileges, Button New ..., dropdown-menu Records > Custom Privileges ...

Still you have to check what happens if the user edits the source so that his ID is not sent.

BTW, you can't get the cookie into xslt-cwp-query params on the same page (see the thread http://fmforums.com/forum/showtopic.php?tid/182893/ on similar question), but you can send it in a document() call within the page or by the relay technique (see http://www.filemaker.de/konferenz2006/ , slides and demo by me, all in german) to the database.

Thanks for writing back : I've successfully used the document() call to open the right record from the cookie and display information from it, but I don't know how I can use it to *edit* the record. Is that possible?

Also, slides in German are fine, and I've already downloaded them, but I can't seem to find the "relay" technique in there. What page is it on, or what's the German word you're using?

p. 47, " Einsatz von fmxslt:set_status_code() und fmxslt:set_header() zur

Beeinflussung des HTTP-Headers"

See also search_de.xsl in folder newsticker/xslt-template-files/newsticker/Schritt3_optimiert

You will find both a document() example with -edit and the technique mentioned.