This is a public Forum  publicRSS

Forum post

    Problems datasecurity using browser buttons together with...
    Forum post posted June 1, 2011 by Harold Kops , last edited May 11, 2012
    1294 Views, 25 Comments
    Title:
    Problems datasecurity using browser buttons together with IWP
    Your post:

    Database published with IWP. Data is related to Username. After login user can only see information related to Username. Within FileMaker this works without exception.

    Unfortunately the moment I use the buttons of the webbrowser to go back in history instead of the within FileMaker programmed buttons, suddenly I get different information. Also records which are not related to Username.

    I am sure that it is not a problem within the database and the approach of data linked to the username, because I have tested that thoroughly.

    I am wandering whether this is a safety problem with using a database via Instant Web Publishing or that there is something I have to activate or de-activate to clear out this problem.

    I use FileMaker Server Advanced 11 on a windows server. The problem within the browser is tested in IE, Firefox and Safari. All give the same problem.

     

    Answer

    • Jeff Cortez

      My solution is having the same problem when clicking on the back button of the browser.  I have notice that when users are directed using related records (show only related records - match current record only), finding only one (correct) record,  if the user presses the back browser button, the system directs them to record 0 which is not related to the user at all and inadverntly sees someelse's record and can make changes.  This is not a particular user, since I have replicated this problem with every user in the system.  Yes, this only happens in IWP and not with the client; no back button in the client. 

      I was able to surcumvent this problem in one of my premiere solutions where the system will first find a dedicated error record and then continue to create a new record, if the new record does not fire (which I have documented that it doesn't always) the client is directed to the error record.

      Here are my thoughts of solving this issue.

      1. Setup IWP to openup the browser in Full Screen, so the browser buttons are hidden from the user.

          - I found some javascript to modify IWP, however afraid to corrupt the file since I have over 70 solutions in this one server.

      2.  Trying to figure out, the actual command of the browser back navigation so I can address it according and modify my solutions around this command.

      3. An ugly solution is to make a note not to use the Browser buttons.

      This is definetly a data security issue in IWP which needs to be address. If I can not solve this problem, I will need to step back and rethink creating solutions using Instant Web Publishing.  I am on the Windows 2008 R2 Server platform using Filemaker Pro advance server version 10.  I wonder if version 11 has this same issue?

    • Harold Kops

      Thanks Jeff for explaining your problem with IWP. I have checked whether I experience the same. I was suprised to see that IWP via the browserbutton goes to record 0. I could not see that because of hiding the panel.

      Then I decided to change the use of using related records (show only related redors - match current record only) in opening the layout and filter the records. Within IWP and the buttons programmed it works fine, but as soon as you use the back browser button you end up record 0, which is not related to the user in the system.

      Thanks for your suggestions, but I agree with you conclusion that this data security issue in IWP needs to be addressed by FileMaker.

      This issue is the same in version FileMaker Server 11 Advanced.

    • Jeff Cortez

      Thanks Harold for confirming for Filemaker 11.  I have submitted a report to Filemaker and hope to hear from them soon.  I will post if I find a solution.

      Thank you.

    • TSGal

      Harold Kops and Jeff Cortez:

      Thank you for your posts.

      I see that both of you are hosting the files on Windows 2008 servers.  Are the customers also on Windows machines?  What versions of Windows and Mac OS X?  Jeff Cortez - What browsers (and versions) are being used?

      TSGal
      FileMaker, Inc.

    • Harold Kops

      TSGal,

      Costumers are on all kinds of machines. I have tested this via Mac OS X 10.6.8 and Safari 5.0.5, via Mac OS X and Firefox 3.6.12 and via Internet Explorer 8 on a windows machine. All gave the same problem. The problem was reported to me via a costumer who worked on a windows machine via Internet Explorer. I am not sure withwhich versions he works.

      Thank you for taking up this issue!

    • Jeff Cortez

      Dear Harold,

      Please use this link to follow on this thread in the issue report section:  http://forums.filemaker.com/posts/0695d71be4

    • TSGal

      Harold Kops and Jeff Cortez:

      First, thank you for the additional information.

      Second, both threads (this thread the one reported by Jeff Cortez) have been reported.  I will keep you updated on both threads.

      TSGal
      FileMaker, Inc.

    • TSGal

      Harold Kops and Jeff Cortez:

      We are having difficulty replicating this problem in Testing and in Technical Support.  We would like to see a sample file.  Check your Inbox at the top of this page for instructions where to send your sample file.

      TSGal
      FileMaker, Inc.

    • TSGal

      Harold Kops and Jeff Cortez:

      I have received files from both of you.  Thank you.

      I have sent both files to our Development and Testing departments for further review and confirmation.  I will keep you posted as information becomes available to me.

      TSGal
      FileMaker, Inc.

    • TSGal

      Jeff Cortez:

      Your zip file does not expand properly.  The file also had the extension .zipx.   If the solution is less than 10MB, can you send it unzipped?  If not, then zip it again.  

      TSGal
      FileMaker, Inc