Tip: using URLs to bypass IWP login and avoid iwp_auth.html

[xochi]

Background: IWP will allow you to bypass the iwp_auth.html page if and only if there is one guest account and no other accounts with IWP access. If you want to have more than one account active, and yet still bypass the login step, it is possible. There are some tips on the web about how to work around this, but I recently tried to do this and found that the tips were out-dated or wrong or referenced servers or files that were lost..

So I'm writing up my experiences here for the record.

These have been tested with

• Server: FileMaker Server Advanced 11 running on Mac OS X 10.6.8 / Apache.
  
• Clients : IE 8, IE9, Safari 5, and FireFox (versions 12-15).
  

In theory, bypassing the login with a URL is fairly simple. In practice, it's difficult, because you must use a mix of URL encoding styles in the URL. In testing variations of these, I found three difficulties:

1. IE, Safari, and FireFox handle the URLs slightly differently. A URL which works on Windows under IE may not work on Mac Safari or Windows FireFox.
   
   
2. The URL you want is slightly different if it's inside an <A> anchor href, versus if it's being used in a javascript command.
   
   
3. If you are running any server monitoring tools, the URL will normally cause a 302 redirect to initiate the log in. Realizing this is key to parsing the response properly.
   

Here's what I have found that works:

For a specific account login, the URL should look like this:

• For an <a href> tag, use this format:

  <a href="http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&amp;acct=account&amp;name=myusername&amp;password=mypassword&amp;login=Login&amp;-authdb">

• For use in a meta refresh tag in the <head> section of a web page:

<META HTTP-EQUIV=Refresh CONTENT="0; URL=http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&amp;acct=account&amp;name=myusername&amp;password=mypassword&amp;login=Login&amp;-authdb">

For use in javascript

window.location.href = "http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&acct=account&name=myusername&password=mypassword&login=Login&-authdb"

Notice the subtle difference: in the first and second URL, you use "&amp;" for every ampersand after "startsession". In the third URL, you use actual ampersands. Be careful if you copy/paste this URL - many websites and apps will change it as you paste it in, so be sure that it's exactly as shown here. Replace myserver.com, myusername and mypassword with appropriate values for your application. For a guest login, the URL should look like this:

• For an <a href> tag, use this format:

<a href="http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&amp;acct=guest&amp;login=Login&amp;-authdb">

For use in a meta refresh tag in the <head> section of a web page:

<META HTTP-EQUIV=Refresh CONTENT="0; URL=http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&amp;acct=guest&amp;login=Login&amp;-authdb">

For use in javascript, e.g.

window.location.href = "http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&acct=guest&login=Login&-authdb"

Notice the subtle difference: in the first and second URL, you use "&amp;" for every ampersand after "startsession". In the third URL, you use actual ampersands. Finally, if you are using a server monitoring tool (such as a cronjob that runs curl and checks the result) you need to realize that this login technique causes an immediate 302 redirect. Here's my cronjob script to see if the server is running:

#!/bin/sh

# simple cron job script to send an email if a server is not responding properly.



# set the next variable to the URL of the server page you wish to check

URL='http://myserver.com/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db=mydatabasename%26-startsession&acct=guest&login=Login&-authdb'



# set the next variable to an exact string match in the returned web page

# note: we expect a 302 redirect upon login, so we now watch for this in the headers only

MATCH="HTTP/1.1 302 Moved Temporarily"



# email address(es) to send the result to

EMAILS="[email protected]"



# strings to email on failure

SUBJ="Website Error"

MSG_FAIL="Error: Server did not respond properly"



# get the web page, count the # of matches

# note that if curl fails, the match will fail too

# note: we expect a 302 redirect upon login, so we now ask for headers only

N=`curl --head --connect-timeout 90 --max-time 120 -k $URL 2>&1 | grep -c -e "$MATCH"`



echo "n = $N"



# if N = 0 then send error message

if [ "$N" = "0" ]

then

echo "sending error email"

echo "$MSG_FAIL" | mail -s "$SUBJ" $EMAILS

exit 1

fi



# got here? everything is ok, exit silently

exit 0

[dsghs]

Careful passing usernames and passwords using URL parameters...

Why not just create a custom form using get? Then edit your iwp_auth.html to redirect back or show a custom error message if theres an invalid login?

[xochi]

Careful passing usernames and passwords using URL parameters...

 

 

Good point: you should only use this technique when you put the password in the URL for cases where the password is not a security concern (or, if you have an additional layer of security that controls access to the web page).

 

In my case, I use this to implement a simple redirect based on the username:  if the username is "FAQ" then I redirect them to the FAQ layout inside IWP.  If the username is "Help" then I redirect them to the help page, etc.

 

 

 

Why not just create a custom form using get? Then edit your iwp_auth.html to redirect back or show a custom error message if theres an invalid login?

 

I'm not sure I understand this : can you explain?   My technique is set up to allow you to have multiple accounts (without passwords, or with, if you choose) to log in automatically, and also allow guest access at the same time.

[paopao69]

I have tried some of your examples above as well as a few that others have posted and always get the same error response... "Bad Request. The server could not process your request due to a missing command ""."

 

I am using the following URL (swapping out my info for the Host IP, DB Name, Username and PW, of course).   http://x.xx.xxx.x/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db%3DXXXXX_XXXX%26-startsession&amp;acct=account&amp;name=xxxxxx&amp;password=xxxxx&amp;login=Login&amp;-authdb

 

Any ideas how I can make this work? 

[xochi]

Note: since I first posted, the forum software has now added incorrect tags into my URL examples.   I've alerted the moderator to ask them to fix it.  It looks like the forum "acronym" processor is to blame, as it's adding < acronym title > tags in the middle of my URLs which are in Code blocks.  

I have tried some of your examples above as well as a few that others have posted and always get the same error response... "Bad Request. The server could not process your request due to a missing command ""."

 

I am using the following URL (swapping out my info for the Host IP, DB Name, Username and PW, of course).   http://x.xx.xxx.x/fmi/iwp/cgi?dbpath=%2Ffmi%2Fiwp%2Fcgi%3F-db%3DXXXXX_XXXX%26-startsession&amp;acct=account&amp;name=xxxxxx&amp;password=xxxxx&amp;login=Login&amp;-authdb

 

Any ideas how I can make this work? 

 

 

Your URLs seem wrong to me.   You have 

%3F-db%3Dxxxxx_xxxxxx%26-startsession

 

But the proper format is

%3F-db=xxxxx_xxxxxx%26-startsession

 

Notice that you have URI-encoded the "=" (equals sign) but it needs to be left as a raw "=" character.

 

Try replacing the %3D with a plain old = (equals sign)?

[weag]

Hello!  Has anyone found an equivalent way to auto login the guest in FILEMAKER 13??

Thanks,

Wendy

[weag]

Has anyone found a similar workaround for Filemaker 13 where the format is:

https://myurl/fmi/webd

[truelifeajf]

I second weag's question.

 

My entire IWP solution relies on clients just clicking on a link which logs them in as a specific IWP user, and they're then presented with my own custom login page.

 

If FileMaker has removed this great feature for Webdirect then the user has to:

 

 - enter user / pass to access the server (can this step be turned off?)

 - enter user / pass to access the file (I'm guessing you could use auto login on the file and hopefully that would work over Webdirect?)

 

A user / pass will have to be entered somewhere if it can't be specified in the URL, hopefully it only has to be done once.

 

But that still means we either need to:

a: get clients to log in, twice

 

or

 

b: have (in my case) thousands of accounts set up in FileMaker and ditch the custom login page I've created

 

(a) is really the only solution at present.