Check if the file has any auto-login account, and then there is also the possibility that he had the OS store his password.
Is external authentication allowed in this file?
I have had one instance reported to me where a Runtime I built for a nonprofit with full FM-authenticated account/password systems was copied from one computer to another and the new user could get into his copy without any authentication. I havn't seen it actually happen, but know the user who said he got in without a login, and he clearly could read the records. Sounds like a possible security bug, but I have never had access to the copied file which exhibited this behavior. I sent them a new clean copy, and they report that it now authenticates properly.
Let us know what you find in your case.
If the user is is accessing on a Mac, and the user name and password is stored in the Keychain, it might let you in right away. This could have happened if you ever logged in on that workstation with that user/password and saved it for auto log in.
Open Applications>Utilities>Keychain Access.app and search for anything with FileMaker in it. You may find stored passwords for several databases. You can delete the key chain entry. This will force the user/password to be entered again in the future.
Hope that helps.
Helping businesses become more effective, productive, and profitable through custom iPad/iPhone applications, FileMaker app solutions, and web site design.
Looking into both possibilites at the moment. Thanks for all your help and hope to resolve this.
Tim had it right. The user had stored it in his keychain without knowing it (He is not sure if he checked off the box that allowed it to be stored there). He deleted the keychain item and now all is well.
Thanks very much for solving this mystery. But it does reflect a problem with FM security. Anyone accessing this person's iMac could have logged in.
Damned Convenient but it is a security problem. In another thread we were shown how to solve this issue.
1. have the file auto-open into an account with low access privileges
2. immediately upon opening, run a script that includes the "Re-Login" step.