Need input on creating password submit.....

[ole]

Im new to this board and im from Norway.....so if I spell some words wrong I hope you can bare with me.

I have made a box to insert usename and password. I have redefined the submit button to a roll over with an animated gif wich will serve as submit on click when the animatin is done.

My problem is however in how I make filemaker pro 5 understand that I have my own password box and not the one built in windows. I have made all the html documents with all the records and actions I want and just need to link my password box to the index file. Do I need to set up the web security in a special way?

any input on this would be truly apreciated.......

best regards

Ole

[This message has been edited by ole (edited November 13, 2000).]

[Vaughan]

As far as I know you have to use the OS authentication box offerred by the OS, otherwise you're on your own and need to create the whole password checking process yourself.

This would involve having a database of usernames and passwords (two password fields, the second is to verify the first when people create or change password). Authentication will then be a process of performing a find on the username and password pair in this database.

However, once you have "authenticated" the user, I cannot think of any way to control what their actual access privilefes would be.

I'd can the whole idea and stick with the standard authentication process if you need to give different users different levels of access. If all you want to create is a fancy login system where everybody gets the same access, then it will be easy to do.

[ole]

My idea is to give different privileges to different users. I reformatted the submit button with java and got it to accept the function.Do you think it will be hard to seperate user privliges?

btw, thanks for your reply..

[Anatoli]

quote:

---

Originally posted by ole:

My idea is to give different privileges to different users.

btw, thanks for your reply..

---

I am using one database for log-in. When separate levels of access are required, I am using Tokens and it works great. Tokens are more reliable than cookies in MSIE, in Netscape both are reliable.

The only problem is that you must do ALL LINKS on ALL PAGES with tokens. Otherwise the visitor will lose allocated Token.

[ole]

Thank you for the tip. I was looking at tokens at school today and I was actually wondering how it worked. I looked at the source from a site I know do this and I saw the code -tocen1 was set up. Now I need to understand how to use this info...any idea on where I can find more info?

thanks for the reply...)

[Vaughan]

Tokens are very visible in the browser url and very as easy to change/hack. I'd prefer not to base a security system on Tokens.

How will the token enable different security levels on different users? If the overall security of the database is set to allow all actions then it's going to be easy for somebody to have their way with the data.

Did you know that if somebody hosts a FMP database multiuser with the export privilege allowed, *anybody* on the Internet can open the database with their own copy of FMP and conenct to it with their copy of Web Companion and their own format files? They can then delete all records if they want. If your security system relies format files to give the appearance of security restrictions then it's obvious that it's not real security.

Which is why I think that database-level security is important. Passwords.

[ole]

Thank you for the input Vaughan. I`ll take this up with my partner....seems we need to think this over and reflect over the downsides of using tocens.

best regards

Ole

[Anatoli]

RE: Tokens are very visible in the browser url and very as easy to change/hack. I'd prefer not to base a security system on Tokens.

Anatoli: How change/hack? First, token holds the user name and user password, so user can in worst scenario try the same as in input login box, try different user and password.

Furthermore, if you use "Forced frames", user cannot fiddle with URL line at all, just try that on my site.

RE: How will the token enable different security levels on different users? If the overall security of the database is set to allow all actions then it's going to be easy for somebody to have their way with the data.

Anatoli: for instance in my scenario, if user wants edit his/hers data, he/she is presented with his/hers data and nothing else. Simply the search does not find someone else's data. Obviously, I am combining this with WebSecurity database as well. But that is doing sort of "group level" security, e.g. visitors can browse, clients can create and edit, and administrators can also delete....

RE: Did you know that if somebody hosts a FMP database multiuser with the export privilege allowed, *anybody* on the Internet can open the database with their own copy of FMP

Anatoli: that is why someone developed Firewalls, mine are protected and invisible. Best will be to serve them only over web and not share them, but I like the remote administration very much...

RE: Which is why I think that database-level security is important. Passwords

Anatoli: agreed, but you cannot have 10000 passwords, can you? That is why I am using combination of both....

[Vaughan]

Anatoli

Working around frames is easy: all a person has to do is look at the html source (like I just did on your site) work out the db and format file names, then create a link in a web page on their own desktop computer that does what they want, browse it and click the link.

With a bit of digging around anybody's site and looking at page sources I could put together a url that creates new records or edits them, maybe even deletes them... the only thing stopping the action from occuring would be a database-level password or the Web Security database if it is being used. Tokens won't work here because I am by-passing them by not using your format files!

OK a scientiffic experiment:

I have just set up a db on my server with NO password protection. There is one html format file in the directlry called index.html -- it's a blank page with a bit of text on it. Let's cause some mischief... build a url that generates new records. Simple stuff...

http://138.25.32.40/test/FMPro?-db=test&-format=index.html&-error=index.html&-new

If you click on this link you (the web user) just get a blank page with a short text message, but each time a new record is created in my database, and there is nothing I can do about it! Now try making a web page on *your* computer with the same URL in it... it works!

How are Tokens going to help here? NOT A BIT because they only restrict actions within the format files you specify, not at the database level that Web Companion works at. The URLs are remote-controlling Web Companion directly.

If you don't have passwords on your database or use FMP's Web Security databases, you don't have any security!

BTW the database this link refers to will be removed in a few days and the url editied out of the message, so try it now and post your responses so other people will know what happened.

[ole]

Vaughan...I got your point. Tokens gives no protection. My aim was to avoid letting my users have to write the password for everything they were trying to do in my database. With web security database they have to write a password for each post, unless I give them full access. Any way to do this in another way?

Any help would be truly apreciated

[Vaughan]

Each time you enter your house you need to use a key, the alternative is to leave the door open.

What's the problem with people needing to enter a password? Most browsers remember passwords for the entire length of a session.

[Polyphony]

How the heck is anybody supposed to make an online-store solution if there is no real security for web companion??

[Vaughan]

All databases have this problem... you let people add new records but not edit or delete.

It's all about risk management. Allow only the mnimum access required for the solution to work as intended, close everything else off.

And use passwords, the security built into FileMaker Pro is robust enough, just don't think smoke and mirrors (aka couple of tokens) is going to be effective.

Most of my shared databases have <no password> set to allow browse only, no create, edit or delete records. That's fine. It works.

Regular and frequent backing up helps too. <g>

[Anatoli]

To Vaughan

I think you are way too focus to show me something, that you are confusing lot of issues.

Read my post again, and try to fiddle a bit with my databases. Please, be gentle :-).

Just some points:

1. YOU set the test on your site and it works as YOU programmed it. I cannot do more or less with your site.

2. The HTML forms are sitting on your FM and are not easily accessible. I cannot use them or modify them at all.

3. I never claimed, that the Tokens ARE SECURITY at all. They are there to just work as is programmed AGAIN I AM CLAIMIND NO SECURITY IS PROVIDED BY TOKENS. Just by clever programming something can be achieved.

4. Try to edit the record with key (klic) 12 or try to delete that record (the record with key 12).

5. Because the site is multi-leveled security e.g.

a) Forced frames

: Login database

c) Password protected

I think it is as protected as anything else is. I cannot do miracles, but I am quite happy as it is.

Anatoli

[dspires]

A useful password trick that I use is to set up a field in the desired database and through the web security database make that field require an exact match to update the record. The field (password) can by modified from the default password for each record by the user through scripts triggered from the web.

The ability to create records is still controlled through the web wecurity database, but once created, record-level edit access is controlled by user passwords.