AnsweredAssumed Answered

Data security problem when using browser buttons together with IWP

Question asked by JeffCortez on Jun 30, 2011
Latest reply on Jul 6, 2011 by TSGal

Summary

Data security problem when using browser buttons together with IWP

Product

FileMaker Server

Version

Filemaker server 10 Advance

Operating system version

Windows server 2008

Description of the issue

I have notice that when users are directed using related records using IWP (show only related records - match current record only), finding only one (correct) record,  if the user presses the back browser button, the system directs them to record 0 which is not related to the user at all and inadvertently sees some else's record and can make changes.



Here is the forum where someone else is experiencing the same issue

http://forums.filemaker.com/posts/0d29aeaea1

Steps to reproduce the problem

I have notice that when users are directed using related records (show only related records - match current record only), finding only one (correct) record,  if the user presses the back browser button, the system directs them to record 0 which is not related to the user at all and inadverntly sees someelse's record and can make changes.  This is not a particular user, since I have replicated this problem with every user in the system.  Yes, this only happens in IWP and not with the client; no back button in the client.

Expected result

Not to show anything.

Actual result

goes to unrelated record: record 0

Workaround

Here are my thoughts of workarounds.

1. Setup IWP to open up the browser in Full Screen, so the browser buttons are hidden from the user.

    - I found some javascript to modify IWP, however afraid to corrupt the file since I have over 70 solutions in this one server.

2.  Trying to figure out, the actual command of the browser back navigation so I can address it according and modify my solutions around this command.

3. An ugly solution is to make a note not to use the Browser buttons.

error.GIF

Outcomes