2 Replies Latest reply on Nov 24, 2015 1:16 PM by doughemi

    FMS14 security problem

    doughemi

      I have a database developed on FM12 that I am attempting to port to FMS14.

       

      This database has over 2000 user accounts, because I need to allow my PHP users (members of a national association) to only see their own data.  To do this, I am using the login scheme I found in FileMaker Web Publishing by Olm, Knight, and Petrov. The php logs into the db using a generic user WebMember (this part works because I can do a connection check using the listLayouts() API function), fetches the login username and password from the form, and then uses the API setProperty() function to set the username and password for that account name. This has worked for years starting with FM10.

       

      This still works fine on my local server (FMS 14.0.2) but does not work on the hosting company's server (FMS 14.0.4). It returns an Authentication Failed message (from the Olm-Knight-Petrov functions).

       

      In attempting to troubleshoot the problem, I attempted to open File->Manage->Security... to double-check that I had the PHP privilege enabled. When I do this on the remote hosted file, I only see the spinning beach ball for at least 5 minutes (that's when I force quit it). Again, this works fine on the locally hosted file.

       

      The hosting company's tech support suggested a table-based login system, but I have seen many experts on this and other forums state that this practice is a security flaw.

       

      I am on Yosemite 10.10.5, but the problem also appeared when the Tech Support guy tried it on Windows 7.

       

      I am working on a small  demo db to see if the problem will show up there, but in the meantime, can anyone offer any suggestions?