Open Form from Link in Change Mode with Login Required

[trent]

Hi Bruce,

I'm trying to allow users to open a form in change mode from a URL that has been emailed to them. What I've noticed is that this works successfully if a login is not required but fails if a login is required.

To replicate the problem:

1) Download the attached 'web3' example.
2) Compile and run.
3) Login with the demo credentials.
4) Open this link: http://localhost:88/mailboxesformcontrol?MAI:MailBoxNumber=28&PressedButton=Change_btn
5) It works!
6) Logout.
7) Open the same link above.
Login with the demo credentials.
9) An error will be displayed - it cannot fetch the record.

Is this possible when login is required?

Regards,
Trent

[attachment deleted by admin]

[trent]

bumpity bump

[Bruce]

fixed in 8.16.
You can apply the fix to your current build.
Edit \clarion9\accessory\libsrc\win\netweb.clw
Look for the line; (circa 8171)
        self.SetSessionValue(chainname,sub(self.WholeURL,x,len(clip(self.WholeURL))))
replace it with
        self.SetSessionValue(chainname,sub(self.WholeURL,x+1,len(clip(self.WholeURL))))

Cheers
Bruce

[trent]

Hi Bruce,

Thank you, this works well for an unencrypted URL.

But if you wanted to encrypt the URL it does not seem to work. By that I mean the form does not seem to be in Change mode and you cannot open any files. Where ever I put the decrypt code and I can see that the SysID if being decrypted correctly but the record is not fetched.

If I try to fetch the record manually after decrypting I get an error 30 when opening the file:

Code: [Select]

  if p_web.GetValue('ds')
    if not p_web.GSV('MRL:SysID')
      p_web.SSV('LOC:MRLErr',0)
      st2.SetValue(p_web.GetValue('ds'))
      if st2.Len()
        debug('Before decode: '& st2.GetValue())
        st2.Base64Decode()
        debug('Opened link from DataServer email - MRL:SysID = '& st2.GetValue()) !<<<< This shows the correct SysID
        p_web.SSV('MRL:SysID',st2.GetValue())
        p_web.OpenFile(MaintReportLog)  !<<<< This shows the error 30
        if errorcode()
          debug('Error on p_web.OpenFile(MaintReportLog), errorcode('& errorcode() &') error('& error() &')')
        end!If
        clear(MRL:Record)
        MRL:SysID = p_web.GSV('MRL:SysID')
        p_web.SetSQLTimeout(MaintReportLog,net:on)
        if access:MaintReportLog.tryfetch(MRL:KeySysID)
          debug('Error on access:MaintReportLog.tryfetch(MRL:KeySysID), errorcode('& errorcode() &') error('& error() &')')
          p_web.SSV('LOC:MRLErr',1)
        ELSE
          debug('Fetched MRL:SysID successfully')
        end!If
        p_web.SetSQLTimeout(MaintReportLog,net:off)
        p_web.CloseFile(MaintReportLog)
      ELSE
        p_web.SSV('LOC:MRLErr',1)
      end!if
    end!If
  ELSE
    p_web.SSV('LOC:MRLErr',0)
  end!if

  if p_web.GSV('LOC:MRLErr') = 1
    p_web.SSV('LOC:MRLErr',0)
    p_web.Script(p_web.WindowOpen('MaintLogFilter?err=1','_self'))
  end!If

I've tried putting that in the 'Procedure Setup', 'Pre-Update' and 'Before Heading' embeds.

The 'Pre-Update' routine is not called either.

Regards,
Trent

[Bruce]

I'm not sure what you mean by an "encrypted URL".
Perhaps you need to post an example of what you are doing there?

[trent]

Hi Bruce,

I'm doing a stringtheory.base64encode (with wrapping disabled) to 'encrypt' the ID. When an end user that receives a URL with the encrypted ID in it, they click the link and the form decrypts the ID number. See attached example:

1) Take a look at the MailboxesBrowseControl > SetQueueRecord embed - this is a demonstration of the 'encryption' side.
2) Open localhost:88 and go to the Mailboxes browse. Have DebugView open.
3) Copy the 'External URL'.
4) Logout.
5) Paste the 'External URL' into the browser address and press enter.
6) Login.
7) You will see the key is not primed and the 'Pre-Update' routine is not even called. DebugView will show that the ID is decrypted successfully, the Mailboxes file got an error when trying to open, and the record was fetched successfully.

Regards,
Trent

[attachment deleted by admin]

[Bruce]

you're on sort-of the right track, but you're being undone by a couple of things.

First, encoding is not encryption. And it's pretty obvious these values are just base 64 encoded. (The == is a dead give-away.) So even if you get this working, that's probably not the right approach to take. AT&T exposed something like half a million emails not so long ago for accepting these sorts of sequential numeric ID's.

A better approach is to have a table where you add a random record when you create the link. Then the value in the link is completely random, and the real value is stored in the table. You can also use this approach to make the link "one time" (ie delete the record when it is used) and "must be used within xxx minutes") both of which are useful added security.

The other problem is the place where you are doing the "decoding". The correct place to do it would be the WebHandler procedure, SetValue method. You would spot a specific incoming p_name there, and then call the parent with the correct name, and the "real" p_Value.

ie Something like (before parent call)

if p_name = 'el:boxnumber'
  PARENT.SetValue('mai:mailboxnumber', GetRealValue(p_Value) ,p_Picture,p_formatted,p_overWrite)
  return
End

This way the link doesn't leak the field name, or the field value.

[trent]

Hi Bruce,

I've setup the new table and this works but you cannot Save or Cancel the form. Attached is an example, the "encryption" is very basic, didn't want to spend too much time on it:

1) Compile and run.
2) Open this link: http://localhost:88/MailboxesFormControl?el:boxnumber=ThisIsAnEncryptedValue1234&PressedButton=change_btn
3) Login - seems to work ok.
4) Try to Save and Cancel to form - Save produces an error and Cancel does nothing.

Regards,
Trent

[attachment deleted by admin]

[trent]

Hi Bruce,

Forget about the last post, got it all working now! Thank you for your help.

Regards,
Trent