1 Reply Latest reply on Feb 14, 2013 2:59 PM by BowdenData

    IWP Browser back button goes to the wrong place - security issue

    jimhoyt

      Filemaker 12 Server/Advanced on Mac or Windows, using Instant Web Publishing (IWP) for user access.

      Any web browser.

       

      Clicking the browser back button goes somewhere you've never been. This is a security issue and needs to be addressed.

      Filemaker is placing things in the browser history that have no relationship to the data being viewed.

      Even if the back button can be controlled so that you are logged out would be better than what it does.

       

      Here is the relationship graph:

      Back Button Graph.png

       

      In the list of families, select one.

      Back Button 1.jpg

       

      Then select a child.

      Back Button 2.png

       

       

      In the child's record, click the browser back button.

      Back Button 3.png

       

       

      You will get this message:

      Back Button 4.png

       

       

      When you click OK, you get this result!

      Back Button 5.png

       

       

      In IE, you can see what is going on. For some unknown reason, Filemaker IWP puts a totally unrelated record ID in the history.

      So it takes you there instead of back to the previous screen, ( the Family page ).

      Back Button 7.png

       

      THIS IS A SERIOUS PROBLEM! Consider that this might be a court record and an attorney is looking at one case, and ends up seeing information from another case.

      And that is exactly what I am doing in the real application.

       

      ANYBODY HAVE AN IDEA?

       

      FILEMAKER TECH SUPPORT?

       

        • 1. Re: IWP Browser back button goes to the wrong place - security issue
          BowdenData

          Jim,

           

          Can't comment on FMP12, but what you are seeing is also present in FMP11. That is the only version that I have direct experience with. In my case, the IWP dB is not exposed to the public.

           

          Therefore, I provided buttons for all navigation and the training/user guide for the dB explicitly says to not touch the regular browser buttons for navigation.

           

          In circumstances where I thought it was likely that the user would use the back button, I created a new virtual window. Example is where the user is in a list view and clicks to show the detail of that record. Instead of switching directly to the Detail layout, I did a new window (virtual), found that one record, and went to the detail layout. My "Back" button then closed the window thus restoring the user to the list view layout.

           

          I would imagine that the ultimate answer to your question would be to do your solution in Custom Web Publishing using PHP. This wasn't an option in my case, thus using IWP. My solution does not contain any sensitive data as yours does.

           

          HTH.

           

          Doug