How to bypass the IWP login page
Since v8 FileMaker® Server Advanced got a new IWP login page.
It's better than the previous authentication scheme in a number of ways. The most important one is that you can use non-romanized account names for non-English applications. If you application is entirely in Russian or Japanese, romanized account names look quite awkward. With FileMaker 8 romanized ‘Petrov’ and ‘Ueda’ can be changed to real ‘Петров’ and ‘上田’.
Yet it also has some disadvantages. Though you can customize the IWP home page, there's no instructions on how you can place the authentication form on this page and save your users a few clicks. If you want to allow both guests and authenticated users, guests will have to go through the same authentication page as well. The form is implemented in such a way that users can no longer have their browsers to remember the login and password. Unless they use some other password management utility like KeePass, they will have to type both their login and password every time. As I see this is intentional (the form has the autocomplete attribute explicitly set to off), but such a strict policy is not always necessary.
On FileMaker Forums I've seen some requests about this problem. There are also answers, but none of them gives a complete solution and some suggestions are a bit too complex. So here are exact recipes that work.
In all the examples I used the FMServer_Sample file that comes with FileMaker Server as the sample file to log in to. The HTML internals are shown on screenshots, but, of course, I have a sample file with all the code.
Log in to a file via form
As [Guest]:
As an authenticated user:
In both cases the file name is in the dbpath param:
Change it if you need to log in to another file.
Log in to a file via link
As [Guest]:
As an (predefined) authenticated user:
As you see it's simply a mechanical transformation of the forms. The only thing that requires special attention is the dbpath parameter: you have to encode reserved, non-ASCII and “unsafe” characters.
Check this if you need more information on URL encoding.
Don't forget to grab the sample file :) Next post (Dec 22, 2006): Miscellaneous development tips.
Thanks for your examples. They use a couple of special terms like "-startsession" and "-authdb". Do you know which part of the FileMaker Web Publishing system interprets this terms - and which other terms are available, their syntax etc? Maybe they could be used for some control of the web publishing system?
Best regards Mogens Brun
FM Integrator
Posted by: Mogens Brun | March 27, 2007 at 02:53 PM
I extracted these parameters from the source code of the IWP login page with some help of Firefox DOM Inspector, I think. There can be some other parameters, but I have no idea where to get them :) except that from other IWP pages maybe. This would be a rather tedious job though.
Posted by: Mikhail Edoshin | March 27, 2007 at 10:32 PM
Thanks for this explanation but is there some way to make this url emailable?
I've gotten my direct login test url working in a web page but when I copy the url to an email (or a web browser address bar) it does not work.
Ive tried the unencoded and encoded (%2F, etc.) versions and neither work.
I don't understand why this will work as a clickable link but not a direct url.
Posted by: icarux | May 23, 2007 at 05:21 AM
This is great! Thanks so much for the help, this is working so well for our users to more easiliy access the databases.
The only issue we have found is if a user tries to access a 2nd database during the same browser session; they end up back in the original database. I'm guessing this is a cookie-related issue? Is there any way to force clearing the cookies and starting a new session?
Thanks again for your help!
-Rob McLear
Posted by: Rob McLear | June 01, 2007 at 04:23 AM
Did anyone manage to get round the cookie problem?
Posted by: Nick | June 13, 2007 at 12:30 PM
To icarux: try replace in the URL with actual ampersands.
To Rob and Nick: if the user logs out the first database using the button on the status area then he/she will be able to connect to another just fine. Does this solve the problem?
Posted by: Mikhail Edoshin | June 16, 2007 at 02:44 PM
I've used some Lasso code in custom login pages before to clear out the cookies - works great!
Here it is:
[cookie_set: 'http-session'='', -expires='-1', -path='/fmi/iwp']
[cookie_set: 'fmi-cookie'='', -expires='-1', -path='/']
- John
Posted by: John May | June 20, 2007 at 05:55 AM
With regards to the cookie solution, how is this code implemented? Where abouts in my html page do I use this code?
Posted by: Shaun Kilbride | July 31, 2007 at 02:21 PM
Does this login bypass solution still work in FMSA 9? I keep ending up on the IWP home page.
Posted by: Steve St-Laurent | October 14, 2007 at 03:47 AM
It works! Absolutely brilliant, Mikhail!
Someone from Technet directed me here when I asked how to do this. Thanks so much!
Paul
Posted by: Paul Spafford | March 25, 2008 at 07:20 PM