soSIMPLE Security

The soSIMPLE Calendar has several features and options to enhance the security of your calendar.

Standalone Mode: If you are using a Standalone Calendar, your calendar can only be accessed from the file where you place your web viewer. The calendar data is temporarily exported as “data.js” to FileMaker’s temporary folder. This folder is cleared when FileMaker quits. If FileMaker crashes while you’re using it, the data.js file is not deleted until you re-open FileMaker.

Please note: the rest of this page only applies to Server-Powered Calendars.

Server-Powered:

Built-in obfuscation

Every calendar built in the soSIMPLE Calendar Settings uses a cryptic serial number for the link to the calendar. That means that it’s nearly impossible to guess the correct URL to view someone else’s calendar. An example URL looks like this:

http://<xx.xx.xx.xx>/soSIMPLE/sosimple_cal.php?calendar=1-2-063518148595-0000000-01300_123516845033779

Recommendations if you’re concerned about securing Server-Powered Calendars:

  1. Data Source setup.
    • Set up a specific account just for soSIMPLE Calendar access
    • Client-Side Script::
      • account being used should only have “[FMPHP]” extended privilege enabled. By removing “[FMAPP]” extended privilege, you disallow using the dedicated soSIMPLE account to log into your database directly over the network.
      • account being used should allow read only access to your database for client-side scripting.
      • account being used should only provide access to layout and fields specified in the data source setup
      • only put the fields on your “datasource layout” that are specified in the data source window. That’s all you need to draw the calendar, and this limits what data can be viewed surreptitiously.
    • Server-Side Async: account needs read/write access to any fields that can be altered from the calendar, but can still be limited
      • same best practices as Client-Side Script, but you can’t limit the account to read-only access unless it’s a read-only calendar.
  2. Secure the soSIMPLE Calendar Settings app
    • There is a single account required to use soSIMPLE Calendar Settings, called “config”. The built-in password is also “config”. By changing this password, no one will be able to open soSIMPLE Calendar Settings to make changes or view other people’s calendar settings.
  3. Move “cache” directory
    • Move the cache directory out of the web folder and change the config.php to reflect the change
  4. Turn on Secure setting on FileMaker Server
    • This encrypts traffic between the web page and FileMaker Server. Change the config.php by adding https to the beginning of the hostname.
  5. Install calendar in directory used for secure protocol (https).
  6. Password protect the web server directory
    • Use web-server settings to add a password or realm to your web server directories. This will add the requirement to log in every time the web viewer is drawn or data is refreshed. You can then chose to “remember” the password in the browser so that you don’t need to re-type it every time.
  7. Use “Advanced Find Script” with a unique passed parameter
    • The Advanced Find Script allows you to run a server-side script to determine what events get rendered on the calendar. By generating a temporary unique ID, assigning it to local field, such as a session or user field, then passing the same number in the calendar URL as part of the find_parameter, you can restrict record access very tightly.