1 Reply Latest reply on Feb 14, 2013 2:59 PM by BowdenData

    IWP Browser back button goes to the wrong place - security issue


      Filemaker 12 Server/Advanced on Mac or Windows, using Instant Web Publishing (IWP) for user access.

      Any web browser.


      Clicking the browser back button goes somewhere you've never been. This is a security issue and needs to be addressed.

      Filemaker is placing things in the browser history that have no relationship to the data being viewed.

      Even if the back button can be controlled so that you are logged out would be better than what it does.


      Here is the relationship graph:

      Back Button Graph.png


      In the list of families, select one.

      Back Button 1.jpg


      Then select a child.

      Back Button 2.png



      In the child's record, click the browser back button.

      Back Button 3.png



      You will get this message:

      Back Button 4.png



      When you click OK, you get this result!

      Back Button 5.png



      In IE, you can see what is going on. For some unknown reason, Filemaker IWP puts a totally unrelated record ID in the history.

      So it takes you there instead of back to the previous screen, ( the Family page ).

      Back Button 7.png


      THIS IS A SERIOUS PROBLEM! Consider that this might be a court record and an attorney is looking at one case, and ends up seeing information from another case.

      And that is exactly what I am doing in the real application.






        • 1. Re: IWP Browser back button goes to the wrong place - security issue



          Can't comment on FMP12, but what you are seeing is also present in FMP11. That is the only version that I have direct experience with. In my case, the IWP dB is not exposed to the public.


          Therefore, I provided buttons for all navigation and the training/user guide for the dB explicitly says to not touch the regular browser buttons for navigation.


          In circumstances where I thought it was likely that the user would use the back button, I created a new virtual window. Example is where the user is in a list view and clicks to show the detail of that record. Instead of switching directly to the Detail layout, I did a new window (virtual), found that one record, and went to the detail layout. My "Back" button then closed the window thus restoring the user to the list view layout.


          I would imagine that the ultimate answer to your question would be to do your solution in Custom Web Publishing using PHP. This wasn't an option in my case, thus using IWP. My solution does not contain any sensitive data as yours does.