I was recently asked to try to solve a data integrity problem with a Filemaker database app that has been published to the Web.
This app collects job applicant data, through a series of views. There have been reports from a handful of users that during their experience using the app, they would see another applicant's data, while traversing through the application. It seems like these users all exceeded the session timeout threshold and then were revealed somebody else's data in the form.
I am looking at the JSESSIONID cookie that is being generated since that is the only link that I see between a browser session and the app. The JSESSIONID cookie is set to expire in the past and is of type "session"
The JSESSIONID values also seem incredibly similar; here are two JSESSIONIDS that I received when testing the app:
02442D0AA37DEF0512674E8C
02442D09A38288D712674E8E
Has anyone experienced a similar issue with Filemaker apps published to the web?
Is there anyplace else that I need to look besides at the way the JSESSIONID and Filemaker 11 relate? In other words, are there other known security vulnerabilities with the Filemaker Web Publishing engine that anyone is aware of?
With appreciation,
Slinky66
the JSESSIONID is set by Apache Tomcat. This software is bundled with FileMaker's Web Publishing Engine, but the session ID generation is not connected in any way with FileMaker.
I received notice from a Filemaker technical support member that there is a known, documented bug in Filemaker that is the cause of this issue. See these threads for more detailed information:
http://forums.filemaker.com/posts/0d29aeaea1
http://forums.filemaker.com/posts/ad61a7e781
Related
I have made a simple full stack application that uses a postgreSQL database. When previewing the site on desktop it works fine and is able to retrieve all the information with no problem so long as my backend server is on. I am trying to preview the site on my phone using my IP address followed by the port number and it comes up just fine but only the frontend is displaying on my phone. I am unable to see any information from my backend or database. Does anyone know why that is or how I can fix that to display on my phone (without hosting the site)?
1.Maybe it's just cashing issue.
check your mobile phone browser cash setting.
In general, browsers use caching technology for performance reasons. Caching refers to storing values that you previously requested locally and then reusing old values without using new values when a similar request comes in.
2.Maybe it's a front-end css problem.
If design-related elements such as css are not accurate, problems that cannot be seen on the screen may occur even if server data is imported normally.
3.Or maybe front-end can't get data from the server at all.
In this case, it is necessary to debug the server source, check whether it is sent normally on the screen, and check whether the response is received normally through the network terminal.
After checking the three above, even if you can't solve the problem,
At least you'll know exactly what the problem is.
I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.
The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.
Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.
Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.
I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.
My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)
If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?
The AEM SAML Authentication handler has some performance limitations with a default configuration. When your browser does an HTTP POST request to AEM under /saml_login it includes a base 64 encoded "SAMLResponse" request parameter. AEM directly processes that response and does not contact any external systems.
Even though the SAML response is processed on AEM itself, the bottle-necks of the /saml_login call are the following:
Initial login where AEM creates the user node for the first time - you can look at creating the nodes ahead of time. You could write a script to create the SAML user nodes (under /home/users) in AEM ahead of time.
During each login when the session is first created - a token node is created under the user node under /home/users/.../{usernode}/.tokens - this can be avoided by enabling the encapsulated token feature.
Finally, the last bottle-neck occurs when it saves the SAMLResponse XML under the user node (for later use required for SAML-based logout). This can be avoided by not implementing SAML-based logout. The latest com.adobe.granite.auth.saml bundle supports turning off the saving of the SAML response. Service packs AEM 6.4.8 and AEM 6.5.4 include this feature. To enable this feature, set the OSGI configuration properties storeSAMLResponse=false and handleLogout=false and it would not store the SAML response.
I am using a web application for doing data entry which has a mechanism for storing the data entry form (which is an html form) in the browser cache IndexDB.
I am able to see the form in the browser dev tool like so :
I want to know for how long the Index DB will be able to store the form in the browser? Is it possible that it is months since the browser cache was same? Will closing the browser clear the keys? or is this persistent enough storage to last for a few months?
Is it possible to find out when(the exact date or time) the cache entry was made in the IndexDB?
I am asking this because I suspect some discperancy in the form for some of our users as the data being sent is a little different than expected.
Any help would is appreciated.
Thanks
DHIS2, the application you are referring to, has an application you and other users can use to clear any cached data. This app is named "Browser Cache Cleaner", and gives you a list of different things to clear. I would try this app and see if your users still have these issues.
Databases don't expose the timestamp of when the database record was last modified. That's something the developer needs make the application to store in the database records. For example, one could have created_at and modified_at columns to track when the record was created and when was it last modified.
IndexedDB is a persistent client storage API, so yes, data will stay permanently unless the user clears the browser's cache.
If there is some discrepancy in the form being sent, I would look at the caching strategy. Offline data caching is a pretty broad topic (also I don't know much about your application), but Google's Offline Cookbook is a good place to start digging in this topic, as long as caching strategies for your use.
I am trying to use NeoLoad 5.2 to record test scenario for ZK application.
Unfortunately, it looks like some operations are not recorded. For example:
Login and password of the login form are not shown among requests
Population of combo boxes is not shown
I prepared ZK app to generate repeatable components and desktops ids.
Does somebody has such experience? Should I configure NeoLoad or ZK application in some special way to record all the data exchange which happens?
We had a similar issue that the recording did not have any source (empty body). Luckily the play back did have returned code which we used for correlation and validation. Does seem to be a bug in the toolset but we bypassed the issue.
I am trying to access a CalDAV account in iCal and everything works fine except for the Delegation tab. I can see the account(s) I have access to (including the correct read/write properties), but the checkboxes are disabled and the calendars cannot be selected. Has anyone seen this before & know what the cause is?
This is a custom CalDAV implementation, so it is likely due to a disconnect between what iCal expects and what our server is sending -- but there are no error/warning messages in the console to indicate what the problem might be.
Any advice would be appreciated.
iCal queries the permissions and methods available on the server. To query the permissions on a collection resource you will need to have the DAV::read-current-user-privilege-set permission. Assuming iCal can read the permissions it will be looking for the DAV::read permission for reading and the DAV::bind, DAV::unbind and DAV::write permissions to indicate the ability to write.
The best way to debug this is probably to read RFC3744 about half a dozen times, interspersed with using iCal against a working server and sniffing the TCP communication as it does it. A good way is to use some kind of man-in-the-middle proxy so you can sniff the communication with (e.g.) Mobile Me or iCloud.
In my limited experience, this happens when the account used for sharing is functional (not personal) in Microsoft Exchange Server 2010. An example, where two of three are functional:
I do use various CalDAV implementations but have never encountered the same limitation, so this may be not a good answer. Also Exchange Web Services (EWS) for calendaring and delegation are probably not comparable to CalDAV. Still, it's food for thought.
The Debug menu of iCal 5.x offers CalDAV logging options.
To enable that menu, you could use the Secrets preference pane.