Tim Dietrich

Custom Software Developer

Home Services Portfolio Blog About Contact Newsletter

FMEasyWeb: Security Overview

We're coming down the home stretch with FMEasyWeb. Next week we have the preview event, and we're planning to release FMEasyWeb shortly thereafter.

Today I focused on bolstering FMEasyWeb's security, and I think it was time well spent. Security is a huge concern, and we've gone to great lengths to ensure that FMEasyWeb is as secure as possible.

Here's a quick summary of FMEasyWeb's security features.

HTTPS Enforcer. We highly recommend that you use an SSL certificate with FMEasyWeb. It's not a requirement, but it is a strong recommendation. And with FMEasyWeb's "HTTPS Enforcer" function, you can easily require that users of your application access it over HTTPS connections.

Native FileMaker Security. FMEasyWeb supports applications that are available publicly and privately. For private solutions, FMEasyWeb uses FileMaker accounts for authentication, and FileMaker's native security model to enforce permissions. This makes rolling authentication as easy as possible. Want to give a user access to a private FMEasyWeb application? Put them in a group that has the PHP Web Publishing (fmphp) extended privilege enabled.

Strong Encryption. For privately accessible solutions, credentials are encrypted using the Rijndael (pronounced "Rhine-dahl”) algorithm with 256-bit blocks. It's been estimated that it would take 2.5 trillion years to crack this using a brute force attack. Good luck with that.

Smart Session Management. FMEasyWeb regenerate's PHP session IDs on every request. This helps prevent session fixation attacks.

Credentials are bound to the IP address that was used when a user successfully authenticated, making session hijacking is more difficult.

PHP sessions timeout after 5 minutes of inactivity. 5 minutes is the default, but you can specify an alternate timeout value.

For private FMEasyWeb "form" applications, when a form is successfully submitted, the session is completely torn down (including the associated cookie).

Siteshield. FMEasyWeb makes uses of "SiteShield," a feature that was first introduced in FMWebFrame. It's an admittedly lightweight software-based firewall, but it is very convenient and surprisingly effective.

We'll talk more about FMEasyWeb's security features next week. In the meantime, please leave any comments, questions, or suggestions below.