Login Sessions

Does your FileMaker database track when users log in and log out? Do you know how long users are logged into your system? Do you track what they do? Are there accountability requirements in place for your system?

In computing, the term Session applies to a "semi-permanent interactive information interchange" (source Wikipedia). At its core, this concept can be easily solved by adding a table called Sessions to your database, but there's a bit more to it than that.

Beyond adding the table and fields is determining what you want to track and how it can be accessed, and by whom. In most cases, a lot of the session information collected is immutable, because it identifies who does what in the database and for how long. This session data may also need to tie into your security model and how users access database data.

In this video, I provide you with a very straight forward, although a seemingly complex system (especially if you don't know FileMaker's security settings) for managing both logins and session information. You can use strictly FileMaker managed accounts or you can authenticate based on a table within your solution. It accounts for both lax and strict security requirements.

If you've not added session management features to your database then this video will help you get started in a pretty short time. Understanding how you can use a session record to store data specific to what the user is doing in the database is also helpful to the overall usability of your solution.

AttachmentSize
LoginSessions.zip351.15 KB

Comments

Hi Matt.

I love your videos. Great stuff. This one in particular is though you had read my mind as I am looking into this very thing for a database at my work. A question I had...to get around the MD5 issue (and avoiding plugins), could I use a JavaScript library (like crypto.js) to create a hash in say SHA-3 and use that same snippet to generate the password entry hash for comparison? I'm very new to this sort of thing, but I watched your video on using JavaScript libraries for other things and it occurred to me that this might be a workable solution. I thought you might be able to shed light on why this might be a bad idea.

Thanks so much.

Marc

Posted by: Hillio
Thu, 05/07/2015 - 4:25pm

I personally use Forge for iPad based crypto.

https://github.com/digitalbazaar/forge/tree/master. You may need to compose it within node, but it's certainly doable.

4 lines of code will get you a nice digest hash.

// Create a SHA256 Message Digest
var password = "JavaScript Is Great" + "some random key";
var md = forge.md.sha256.create();
md.update(password);
var hash = md.digest().toHex();

-- Matt Petrowsky - ISO FileMaker Magazine Editor

Posted by: Editor
Wed, 10/28/2015 - 11:58am

Is there any way to log when a WebDirect session is closed or times out? This is easy to do if the user clicks on file and logout, but not if they manually close the browser or go idle.

Posted by: psuchad
Wed, 10/28/2015 - 9:56am

Because a browser session is somewhat stateless - although you do have JS doing some polling, the use would have to explicitly click a logout button.

-- Matt Petrowsky - ISO FileMaker Magazine Editor

Posted by: Editor
Wed, 10/28/2015 - 11:59am