1 2 3 Previous Next 33 Replies Latest reply on Mar 16, 2017 2:20 PM by jormond

    Why doesn't auto login work on FileMaker Cloud?

    cji_paygo

      Hi.

       

      I'm experiencing an issue with files hosted on FileMaker Cloud.

       

      In File Options, I have "Log in using:" set with a valid user name and password.

       

      However, when I launch it in WebDirect or in FileMaker Pro Advanced, I am prompted to enter the user name and password for the file.

       

      I've checked and the account does have the right privs.

       

      Has anyone experienced this issue?

        • 1. Re: Why doesn't auto login work on FileMaker Cloud?
          RickWhitelaw

          It's likely Gilemaker Cloud, like FMS, will by default not host or open any file with auto login. And that''s a good thing.

          • 2. Re: Why doesn't auto login work on FileMaker Cloud?
            Johan Hedman

            You need to create a password for your solution. You are never supposed to store a database up on a FMS without proper username and password

            • 3. Re: Why doesn't auto login work on FileMaker Cloud?
              cji_paygo

              Hi. The file does have a user name and password. As stated in my post, I'm using the "Log In Using" option under File Options and I've entered a valid user name and password.

               

              The account used for auto-login has a password and it's not a Full Access.

               

              My goal here is to have a much more elegant login process for my customers. And in some cases, I want to bring them to a quote via a simple url. This worked in FMS 14 and I'd love to have it work in FileMaker Cloud. 

               

              The default FileMaker login prompt is less than ideal.

              • 4. Re: Why doesn't auto login work on FileMaker Cloud?
                wimdecorte

                cji_paygo wrote:

                 

                 

                My goal here is to have a much more elegant login process for my customers.

                 

                Big red flag here.

                 

                Typically when we hear this it means that you'll want to auto-login and provider your own "security" / login process after that.  There's been a few very heated threads about this in the past and some hard evidence that doing this almost invariably ends up compromising security.  So think really hard about this, especially if you are going to put this in the cloud where anyone can find it - and anyone will be logged in automatically because of that auto-login...

                1 of 1 people found this helpful
                • 5. Re: Why doesn't auto login work on FileMaker Cloud?
                  RickWhitelaw

                  If you're using "log in Using" then it's an auto login. As such the file could be blocked. It doesn't matter if you have a password if the file is opening automatically using built in credentials. This is unsafe as anyone could access the file. They don't need a password because the file opens automatically.

                  • 6. Re: Why doesn't auto login work on FileMaker Cloud?
                    mattel

                    It's turned off in the config file

                    I've not tested it to see if you can set that to 0. 

                    <key name="DenyGuestAndAutoLogin" type="integer">1</key>

                    • 7. Re: Why doesn't auto login work on FileMaker Cloud?
                      jormond

                      Rolling your own login can be fraught with problems.

                       

                      1. It will take you a significant amount of time to close up all the security holes. Is it really worth it? It's just a login. And that is assuming you can actually close all the holes.

                      2. In the dozens of DIY login setups I've tested...not one has stopped me from getting in, in an unauthorized manor.

                      3. Putting this in the cloud, and out side of your secured network is especially risky. Just remember there are people out there that simply sit around looking for data to steal or servers to wreak havoc on.

                       

                      As wimdecorte mentioned. Weigh the risk carefully. In general, I've never once recommended going forward with something like what you are talking about.

                      • 8. Re: Why doesn't auto login work on FileMaker Cloud?
                        BruceRobertson

                        Good advice.

                        I do like the idea of an unauthorized manor.

                        • 9. Re: Why doesn't auto login work on FileMaker Cloud?
                          mattel

                          Some other things to take into consideration are how well you are securing access to the server whether it's onsite or cloud based.  In general I don't ever leave things open to 0.0.0.0/0 like the default configuration does.  But rather start out a defined set and then determine what sort of vpn setup to use to access the servers.

                           

                          But we aren't deploying a solution for the masses, just a set of users.

                          • 10. Re: Why doesn't auto login work on FileMaker Cloud?
                            mardikennedy

                            "more elegant login process" - sounds like you read Apple UI Design Guidelines.  That said, there are various contexts where I, too, find it far more practical to do just that.  The served database opens to a designed, ReadOnly priv set that has access to specific layouts only.  (Depending on needs, you could assign RLA to that priv set too.)

                             

                            Thereafter, if the user wants to make any data changes, access other areas etc, they need to Relogin, via a script which uses FMP's Re-Login step.  Oddly enough, sometimes data is intended to be viewed and/or shared.

                            • 11. Re: Why doesn't auto login work on FileMaker Cloud?
                              cji_paygo

                              I appreciate everyone's warnings and I fully understand the implications of using auto-login on the cloud.

                               

                              WebDirect provides an amazing ability for our company to pull in leads and to support our customer base. But leads aren't going to bother if it's not SUPER easy to get the demo. If they get some prompt to login, they're going to conclude that something's wrong as all the other websites out there don't require a login in order to submit information.

                               

                              Maybe WebDirect isn't intended for that type of use, but why can't it be?

                               

                              We have been using the auto-login in FMS 14 for some time and frankly, it's a bummer if it's been decided that it won't be allowed on the FileMaker Cloud. At least make that the default and if we want to take that risk, we can.

                               

                              Just my 2 cents worth.

                              • 12. Re: Why doesn't auto login work on FileMaker Cloud?
                                jormond

                                mardikennedy - this is one of the points of contention when discussing security. The fact that you have allowed someone into the database, without authenticating can be a major loss of security. Any small holes in your setup, and the user can elevate their privilege set and access parts of the database you didn't intend them to.

                                 

                                I agree there are ways to prevent most items...but the setup become significantly more complex. That complexity then makes the opportunity for a security hole greater.

                                 

                                In many attempts I have played with, and tested, the fact that I was able to get into the database without ever authenticating is what allowed me the ability to use privileges that were not exclusively set by the developer...or in a few cases, items changed by the owner.

                                • 13. Re: Why doesn't auto login work on FileMaker Cloud?
                                  Jonathan Jeffery

                                  This is a bit silly.

                                  Firstly, there are many circumstances where you may be happy to allow password-free guest access to a database. For example, I host a small database of fake company names and addresses, which I use as a source of test data in several solutions. The guest account has read-only access -- the data can't be altered, but I have no reason to want to hide it. If anyone else wants to make use of it, download it, even resell it (if they can find a buyer!) I don't have a problem with that. I do have a problem with having to create and maintain a username and password in this database simple because FileMaker is covering its itself from lawsuits if someone sets up some bad security options.

                                   

                                  Secondly, I think Joshua Ormand must have only seen solutions *not* built by experienced FM developers. It's perfectly possible to have a completely secure 'splash-page' login process leveraging FileMaker's own security model: auto-login with a special account whose privilege set only allows access to the splash-page layout, and can only edit two global fields (one to take the username, one to take the password), and can only run one script (a button to run a re-login script with the provided credentials). Prior to running the re-login process, what can anyone do? The 'auto-login' account has no access to anything else.

                                   

                                  The main reason why developers opt to use a secure 'splash page' is that, otherwise, FileMaker presents an ugly, grey,  OS default, dialogue box, with the FileMaker icon and a bunch of extrainious fields (e.g. a greyed-out out 'guest access' radio button, a checkbox for 'save password to Keychain Access'). As developers, we have no access to edit the options, nor change the theme to reflect the 'branding' of our database -- replacing the FileMaker icon with our preferred icon, for a start. This hardly reflects FileMaker's recent move towards 'custom apps'.

                                  • 14. Re: Why doesn't auto login work on FileMaker Cloud?
                                    wimdecorte

                                    Jonathan Jeffery wrote:

                                     

                                    Secondly, I think Joshua Ormand must have only seen solutions *not* built by experienced FM developers. It's perfectly possible to have a completely secure 'splash-page' login process leveraging FileMaker's own security model: auto-login with a special account whose privilege set only allows access to the splash-page layout, and can only edit two global fields (one to take the username, one to take the password), and can only run one script (a button to run a re-login script with the provided credentials). Prior to running the re-login process, what can anyone do? The 'auto-login' account has no access to anything else.

                                     

                                    To date pretty much all of these 'ersatz' login systems out there have proven not to be secure and the fact remains that by doing an auto-authentication and relying on things that are not part of the security scheme to do proper authentication and authorization just increases the likelihood of leaving a vulnerability somewhere.

                                     

                                    Can it be done?  Probably.  But it is done by taking a risk.  And as such it should be done with total transparency especially to client for whom the solution is built.

                                    1 of 1 people found this helpful
                                    1 2 3 Previous Next