5 Replies Latest reply on Feb 11, 2012 4:18 PM by Malcolm

    user remote access doesn't require log in

    wallybuch

      I have a professionally hosted FM database that is opened via the open remote dialog box. The account name and password always comes up on my machine (I have full access privilges). However, I set up a data user account and sent the full filepath to the user and when he puts the file path in which includes the name of the file at the company that hosts it, he never sees a log in screen but is taken directly to the file! I have even deauthorized the data user account from the list of users and he is still able to get into the db without ever seeing a log in screen.

       

      Any help is appreciated.

        • 1. Re: user remote access doesn't require log in
          Stephen Huston

          Hi Wally,

           

          Check if the file has any auto-login account, and then there is also the possibility that he had the OS store his password.

           

          Is external authentication allowed in this file?

           

          I have had one instance reported to me where a Runtime I built for a nonprofit with full FM-authenticated account/password systems was copied from one computer to another and the new user could get into his copy without any authentication. I havn't seen it actually happen, but know the user who said he got in without a login, and he clearly could read the records. Sounds like a possible security bug, but I have never had access to the copied file which exhibited this behavior. I sent them a new clean copy, and they report that it now authenticates properly.

           

          Let us know what you find in your case.

           

          Stephen Huston

          • 2. Re: user remote access doesn't require log in
            timcimbura

            If the user is is accessing on a Mac, and the user name and password is stored in the Keychain, it might let you in right away. This could have happened if you ever logged in on that workstation with that user/password and saved it for auto log in.

             

            Open Applications>Utilities>Keychain Access.app and search for anything with FileMaker in it. You may find stored passwords for several databases. You can delete the key chain entry. This will force the user/password to be entered again in the future.

             

            Hope that helps.

             

            Tim Cimbura

            Helping businesses become more effective, productive, and profitable through custom iPad/iPhone applications, FileMaker app solutions, and web site design. 

            tim@cimbura.comhttp://www.cimbura.comn

            • 3. Re: user remote access doesn't require log in
              wallybuch

              Looking into both possibilites at the moment. Thanks for all your help and hope to resolve this.

               

              wally buch

              • 4. Re: user remote access doesn't require log in
                wallybuch

                Tim had it right. The user had stored it in his keychain without knowing it (He is not sure if he checked off the box that allowed it to be stored there). He deleted the keychain item and now all is well.

                 

                Thanks very much for solving this mystery. But it does reflect a problem with FM security. Anyone accessing this person's iMac could have logged in.

                 

                wally buch

                • 5. Re: user remote access doesn't require log in
                  Malcolm

                  Damned Convenient but it is a security problem. In another thread we were shown how to solve this issue.

                   

                  1. have the file auto-open into an account with low access privileges

                  2. immediately upon opening, run a script that includes the "Re-Login" step.

                   

                  Malcolm