1 2 3 4 Previous Next 59 Replies Latest reply on Mar 20, 2017 11:41 AM by JackRodges

    User Login In Filemaker!

    aliabbassipro

      Hi , I Don't Like File Maker User Login & I Want Make My Custom User Login.

      I Want When User Open The Project , File Maker Asked Him To Enter User Email & Password , If User Don't Register Until Now Click Sign Up Button & Go And Write His Informations On Logn Filed.

      If User Email Is Registered Or Fake , See He Can't Register & If User Email & Password Is Correct Login To Project.

      What I Need To Do That?

      Only User Information Table?

      Who Do This Work Untill Now? Who Can Help Me To Make This Thing?

        • 1. Re: User Login In Filemaker!
          jormond

          This has been discussed in a lot of detail in other places. It's a bad idea. Its too easy to open up a security hole. Scripted methods of user access can very often be easily prevented. There is a video in the Resources section from DevCon ( presentation by Ronnie Rios ), that explains some of the problems. Note, I said SOME.

           

          Also see here: Some Vulnerabilities Associated With Ersatz Log-On Systems - FileMaker Security Blog - FMForums.com

           

          My recommendation: DON'T DO IT.

          1 of 1 people found this helpful
          • 2. Re: User Login In Filemaker!
            oceanwest
            Hi , I Don't Like File Maker User Login & I Want Make My Custom User Login.
            I Want When User Open The Project , File Maker Asked Him To Enter User Email & Password ,
            If User Don't Register Until Now Click Sign Up Button & Go And Write His Informations On Logn Filed.
            If User Email Is Registered Or Fake , See He Can't Register & If User Email & Password Is Correct Login To Project.
            What I Need To Do That?Only User Information Table?Who Do This Work Untill Now? Who Can Help Me To Make This Thing?

             

            Translated from Comic Sans

            1 of 2 people found this helpful
            • 4. Re: User Login In Filemaker!
              wimdecorte

              aliabbassipro wrote:

               

              Hi , I Don't Like File Maker User Login & I Want Make My Custom User Login.

               

               

              As jormond stated: don't do it.

               

              Why don't you like what is there?  What does it not allow you to do?

               

              Disregarding FM's security layer and 'rolling your own' is pretty much a guarantee that your solution will not be secure.

              2 of 2 people found this helpful
              • 5. Re: User Login In Filemaker!
                JackRodges

                You can use the Account functions to create a new account after the user logins in a demo account mode or the user can log in with their existing account.

                 

                After logging in using a demo account the user can click a button to create their own account and you would assign the account name, temporary password and privilege set. After the account is created you can switch to that account or require the user to exit and log in again. From that point on they own the account and can login with it.

                 

                It is also possible using techniques I have used as well as other developers to track the exact location and computer being used and determine whether or not to allow that login.

                • 6. Re: User Login In Filemaker!
                  jormond

                  So you are suggesting allowing a user into the database, them allowing them to create their own account, which would immediately allow them in?

                   

                  1. No. That would be as risky as allowing a third party full SSH access into one of your servers.

                  2. ANY scripted approach to security, can be circumvented or paused. Because the user is already authenticated into the file, they may be able to escalate their privileges and gain more access than intended.

                   

                  We have done this dance several times. It is simply not wise. I have backed out of projects that have required this approach.

                   

                  Hear are 2 discussions that happened around this topic. A Conversation About '2 Factor Authentication'

                   

                  Even well-seasoned, great developers can miss a hole that opens them up for a security breach. It's not a challenge about whether or not it can be done. It is a matter of how much risk the business is willing to deal with. There is only one database that used an ersatz security technique that I have attempted to access where I was unable to access and manipulate the data in some way other than what was intended by the developer. That approach was very complex, and relied primarily on External Authentication to close the remaining loopholes. At that point... the custom login approach was unnecessarily expensive. Read that roughly $5,000USD to have a custom dialog for signing in... But then they allowed the user to save the login credentials...so users only ever saw that dialog 1x. Hopefully that sounds as ridiculous to you as it does to me.

                  1 of 1 people found this helpful
                  • 7. Re: User Login In Filemaker!
                    JackRodges

                    If you avoid FileMaker's login and security then your file is open to everyone and you pretend that your roll your own will keep them out. This is not true. I and countless others can pick your file clean, steal your data and enter corrupt data.

                     

                    Even if you do use the account/password and fail to protect other portions, the above may still apply.

                    • 8. Re: User Login In Filemaker!
                      taylorsharpe

                      You have been appropriately forewarned above about security and best practices.  But like all rules, there are exceptions.  Maybe the data you have is public and security is a low priority and maybe you want to do something entertaining with the login, particularly in a web viewer with animation or something fun.  In general though, if you are dealing with business data and security is important, you won't want to bypass FileMaker security at all because of known and unknown vulnerabilities.  But if you're going to make a custom security, you are going to have to do something like have people login as guest automatically and script your security and it can be done. 

                      • 9. Re: User Login In Filemaker!
                        TonyWhite

                        Hi aliabbassipro

                         

                        From a previous post you mentioned that you are new to FileMaker and learning.

                         

                        Security is a wide and deep topic. Here are some learning resources on the topic:

                         

                         

                        Some things are safe to do. Others are not. Learning the built in security features is the path to knowing what is safe and what is not.

                         

                        Hope that helps,

                         

                        Tony White

                        1 of 1 people found this helpful
                        • 10. Re: User Login In Filemaker!
                          JackRodges

                          In a non-critical test using Pro 15 and a login using a Demo account with read only priviliges, I could not interrupt this script:

                           

                          Set User Abort Off (or is it on)

                          create new account xxxx privilege set xxxx

                          relogin to new account

                           

                          This doesn't mean that someone else could not halt the script...

                           

                          But  just as bad is what FIleMaker did after closing the loop hole for auto logins when FileMaker allows using the new style auto login that is tied to a computer. So, if a Developer closes the file and heads to lunch but leaves the computer running, anyone can sit down and open that file with full access privileges...

                          • 11. Re: User Login In Filemaker!
                            jormond

                            Whether you feel storing the credentials is bad or not...that is a normal feature in almost every piece of software. I won't debate that. It's a security risk if users/business owners decide to allow it. I, personally, never save my Full Access account credentials. And other than my boss, no one else has full access.

                            • 12. Re: User Login In Filemaker!
                              beverly

                              MySQL, for example, stores the users in a table. The passwords, however are encrypted and useless to anyone with even FULL privileges. Like FileMaker, anyone with admin credentials in MySQL can add/remove users. Web sites that make use of the the email/password for login, also highly encrypts the passwords that are stored in MySQL or other SQL dbs.

                              • 13. Re: User Login In Filemaker!
                                taylorsharpe

                                I concur with Beverly that security in MySQL is almost always done in a data table instead of a separate security level like FileMaker.  It is also why MySQL is more vulnerable and probably why it is one of the most hacked database platforms out there according to NIST.  Just check out the National Vulnerabilities Database.  It is also why you don't find many large corporations using MySQL because they want the better security available in Oracle and Microsoft SQL Server, etc.... and FileMaker!   MySQL is great for speed and the price is right.  But it is not the cutting edge of security. 

                                • 14. Re: User Login In Filemaker!
                                  wimdecorte

                                  gofmp wrote:

                                   

                                   

                                  But just as bad is what FIleMaker did after closing the loop hole for auto logins when FileMaker allows using the new style auto login that is tied to a computer.

                                   

                                  What option are you referring to?  The ability to store the credentials in the OS keychain/credential manager?

                                   

                                  That option is under the control of the developer, you can turn that off for your solution if you don't want users to  have that option.

                                  1 2 3 4 Previous Next