security on lasso scheduled scripts

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

security on lasso scheduled scripts

Tami Williams-3
I'm curious - how do you "protect" your lasso scheduled scripts from  
being run by whomever?

If the script is a .lasso page on the server and Lasso Site Admin was  
used to set up the schedule, what do you do to 'lock' it down?

Besides adding a conditional to the page so that if its being called  
by any IP other that the Lasso server machine it does NOT run - ie.  
only run when called by the Lasso server machine,

what other things have people done?

Thanks in advance.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It's better to burn out than to fade away."

Tami Williams
Creative Computing
Let us help you make frustrating, costly, and inefficient processes  
more efficient, less costly and scalable.
Lasso, MySQL and FileMaker specialists.

Tel: 770.457.3221
Fax: 770.454.7419
E-Mail: [hidden email]
Web: http://www.asktami.com/
LinkedIn: http://www.linkedin.com/in/asktami
Twitter: http://twitter.com/asktami
iChat/AIM/Skype: tamiwilliamsusa

FileMaker Solutions Alliance Associate | Lasso Professional Alliance  
Member

------

If you want to receive sporadic email from Creative Computing  
regarding news at the company and announcements about upcoming Lasso  
webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Doug Gentry-2
You're talking about scheduled events, right?  I think there is a way you can store/pass along authentication when the event runs. So, though I haven't used it I would imagine you could add an [auth] or one of the other authentication prompts to the page, which the event scheduler would be able to respond to.

...Doug Gentry

On Sep 7, 2010, at 10:31 AM, Tami Williams wrote:

> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>
> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>
> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>
> what other things have people done?
>
> Thanks in advance.
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "It's better to burn out than to fade away."
>
> Tami Williams
> Creative Computing
> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
> Lasso, MySQL and FileMaker specialists.
>
> Tel: 770.457.3221
> Fax: 770.454.7419
> E-Mail: [hidden email]
> Web: http://www.asktami.com/
> LinkedIn: http://www.linkedin.com/in/asktami
> Twitter: http://twitter.com/asktami
> iChat/AIM/Skype: tamiwilliamsusa
>
> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>
> ------
>
> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


---
Doug Gentry
Dynapolis & Southern Oregon University
p:  541-261-8501 / Toll Free: 866-890-6013
[hidden email]
www.dynapolis.com - blog: www.plain-sense.com




#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Jonathan Guthrie-5
Doug's correct, require a username and password and you supply that from the Site Admin.




On 2010-09-07, at 1:34 PM, Doug Gentry wrote:

> You're talking about scheduled events, right?  I think there is a way you can store/pass along authentication when the event runs. So, though I haven't used it I would imagine you could add an [auth] or one of the other authentication prompts to the page, which the event scheduler would be able to respond to.
>
> ...Doug Gentry
>
> On Sep 7, 2010, at 10:31 AM, Tami Williams wrote:
>
>> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>>
>> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>>
>> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>>
>> what other things have people done?
>>
>> Thanks in advance.
>>
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> "It's better to burn out than to fade away."
>>
>> Tami Williams
>> Creative Computing
>> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
>> Lasso, MySQL and FileMaker specialists.
>>
>> Tel: 770.457.3221
>> Fax: 770.454.7419
>> E-Mail: [hidden email]
>> Web: http://www.asktami.com/
>> LinkedIn: http://www.linkedin.com/in/asktami
>> Twitter: http://twitter.com/asktami
>> iChat/AIM/Skype: tamiwilliamsusa
>>
>> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>>
>> ------
>>
>> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>> To switch to the INDEX mode, E-mail to <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
>
> ---
> Doug Gentry
> Dynapolis & Southern Oregon University
> p:  541-261-8501 / Toll Free: 866-890-6013
> [hidden email]
> www.dynapolis.com - blog: www.plain-sense.com
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

Jonathan Guthrie
R&D

Treefrog Interactive Inc.
www.treefrog.ca
[hidden email]


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Brian Loomis-3
I believe Lasso then translates this into the http://username:password@.../script.lasso for curl.

On Sep 7, 2010, at 11:40 AM, Jonathan Guthrie wrote:

> Doug's correct, require a username and password and you supply that from the Site Admin.
>
>
>
>
> On 2010-09-07, at 1:34 PM, Doug Gentry wrote:
>
>> You're talking about scheduled events, right?  I think there is a way you can store/pass along authentication when the event runs. So, though I haven't used it I would imagine you could add an [auth] or one of the other authentication prompts to the page, which the event scheduler would be able to respond to.
>>
>> ...Doug Gentry
>>
>> On Sep 7, 2010, at 10:31 AM, Tami Williams wrote:
>>
>>> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>>>
>>> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>>>
>>> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>>>
>>> what other things have people done?
>>>
>>> Thanks in advance.
>>>
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> "It's better to burn out than to fade away."
>>>
>>> Tami Williams
>>> Creative Computing
>>> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
>>> Lasso, MySQL and FileMaker specialists.
>>>
>>> Tel: 770.457.3221
>>> Fax: 770.454.7419
>>> E-Mail: [hidden email]
>>> Web: http://www.asktami.com/
>>> LinkedIn: http://www.linkedin.com/in/asktami
>>> Twitter: http://twitter.com/asktami
>>> iChat/AIM/Skype: tamiwilliamsusa
>>>
>>> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>>>
>>> ------
>>>
>>> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> ---
>> Doug Gentry
>> Dynapolis & Southern Oregon University
>> p:  541-261-8501 / Toll Free: 866-890-6013
>> [hidden email]
>> www.dynapolis.com - blog: www.plain-sense.com
>>
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>> To switch to the INDEX mode, E-mail to <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
> Jonathan Guthrie
> R&D
>
> Treefrog Interactive Inc.
> www.treefrog.ca
> [hidden email]
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Marc Vos
In reply to this post by Tami Williams-3
I add auth_<something> to the page, and provide the username/password in the 'schedule event'-page.

- -
Marc

On 7 sep 2010, at 19:31, Tami Williams wrote:

> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>
> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>
> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>
> what other things have people done?
>
> Thanks in advance.
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "It's better to burn out than to fade away."
>
> Tami Williams
> Creative Computing
> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
> Lasso, MySQL and FileMaker specialists.
>
> Tel: 770.457.3221
> Fax: 770.454.7419
> E-Mail: [hidden email]
> Web: http://www.asktami.com/
> LinkedIn: http://www.linkedin.com/in/asktami
> Twitter: http://twitter.com/asktami
> iChat/AIM/Skype: tamiwilliamsusa
>
> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>
> ------
>
> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Tami Williams-3
How does this stop a member of the public from loading the page in  
their browser and having the script run?


On Sep 7, 2010, at 5:12 PM, Marc Vos wrote:

> I add auth_<something> to the page, and provide the username/
> password in the 'schedule event'-page.
>
> - -
> Marc
>
> On 7 sep 2010, at 19:31, Tami Williams wrote:
>
>> I'm curious - how do you "protect" your lasso scheduled scripts  
>> from being run by whomever?
>>
>> If the script is a .lasso page on the server and Lasso Site Admin  
>> was used to set up the schedule, what do you do to 'lock' it down?
>>
>> Besides adding a conditional to the page so that if its being  
>> called by any IP other that the Lasso server machine it does NOT  
>> run - ie. only run when called by the Lasso server machine,
>>
>> what other things have people done?
>>
>> Thanks in advance.
>>
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> "It's better to burn out than to fade away."
>>
>> Tami Williams
>> Creative Computing
>> Let us help you make frustrating, costly, and inefficient processes  
>> more efficient, less costly and scalable.
>> Lasso, MySQL and FileMaker specialists.
>>
>> Tel: 770.457.3221
>> Fax: 770.454.7419
>> E-Mail: [hidden email]
>> Web: http://www.asktami.com/
>> LinkedIn: http://www.linkedin.com/in/asktami
>> Twitter: http://twitter.com/asktami
>> iChat/AIM/Skype: tamiwilliamsusa
>>
>> FileMaker Solutions Alliance Associate | Lasso Professional  
>> Alliance Member
>>
>> ------
>>
>> If you want to receive sporadic email from Creative Computing  
>> regarding news at the company and announcements about upcoming  
>> Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]
>> >
>> To switch to the INDEX mode, E-mail to <[hidden email]
>> >
>> Send administrative queries to  <[hidden email]>
>>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]
> >
> To switch to the INDEX mode, E-mail to <[hidden email]
> >
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Tami Williams-3
In reply to this post by Brian Loomis-3
My brain's not working -

How does this stop a member of the public from loading the page in  
their browser and having the script run?


On Sep 7, 2010, at 1:47 PM, Brian Loomis wrote:

> I believe Lasso then translates this into the http://username:password@.../script.lasso 
>  for curl.
>
> On Sep 7, 2010, at 11:40 AM, Jonathan Guthrie wrote:
>
>> Doug's correct, require a username and password and you supply that  
>> from the Site Admin.
>>
>>
>>
>>
>> On 2010-09-07, at 1:34 PM, Doug Gentry wrote:
>>
>>> You're talking about scheduled events, right?  I think there is a  
>>> way you can store/pass along authentication when the event runs.  
>>> So, though I haven't used it I would imagine you could add an  
>>> [auth] or one of the other authentication prompts to the page,  
>>> which the event scheduler would be able to respond to.
>>>
>>> ...Doug Gentry
>>>
>>> On Sep 7, 2010, at 10:31 AM, Tami Williams wrote:
>>>
>>>> I'm curious - how do you "protect" your lasso scheduled scripts  
>>>> from being run by whomever?
>>>>
>>>> If the script is a .lasso page on the server and Lasso Site Admin  
>>>> was used to set up the schedule, what do you do to 'lock' it down?
>>>>
>>>> Besides adding a conditional to the page so that if its being  
>>>> called by any IP other that the Lasso server machine it does NOT  
>>>> run - ie. only run when called by the Lasso server machine,
>>>>
>>>> what other things have people done?
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> "It's better to burn out than to fade away."
>>>>
>>>> Tami Williams
>>>> Creative Computing
>>>> Let us help you make frustrating, costly, and inefficient  
>>>> processes more efficient, less costly and scalable.
>>>> Lasso, MySQL and FileMaker specialists.
>>>>
>>>> Tel: 770.457.3221
>>>> Fax: 770.454.7419
>>>> E-Mail: [hidden email]
>>>> Web: http://www.asktami.com/
>>>> LinkedIn: http://www.linkedin.com/in/asktami
>>>> Twitter: http://twitter.com/asktami
>>>> iChat/AIM/Skype: tamiwilliamsusa
>>>>
>>>> FileMaker Solutions Alliance Associate | Lasso Professional  
>>>> Alliance Member
>>>>
>>>> ------
>>>>
>>>> If you want to receive sporadic email from Creative Computing  
>>>> regarding news at the company and announcements about upcoming  
>>>> Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list <[hidden email]>.
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>>> >
>>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>>> >
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> ---
>>> Doug Gentry
>>> Dynapolis & Southern Oregon University
>>> p:  541-261-8501 / Toll Free: 866-890-6013
>>> [hidden email]
>>> www.dynapolis.com - blog: www.plain-sense.com
>>>
>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>> >
>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>> >
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>> Jonathan Guthrie
>> R&D
>>
>> Treefrog Interactive Inc.
>> www.treefrog.ca
>> [hidden email]
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]
>> >
>> To switch to the INDEX mode, E-mail to <[hidden email]
>> >
>> Send administrative queries to  <[hidden email]>
>>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]
> >
> To switch to the INDEX mode, E-mail to <[hidden email]
> >
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Brian Loomis-3
well you don't put this setting into lasso

but this is what lasso turns it into.

there is nothing to stop this format from being used on any site.  It's a standard method for http authentication.

In fact, you could write a curl script to hammer someones admin until it opened up.  Some people have written scripts to test for referrer IP, connections per second etc.

On Sep 7, 2010, at 3:26 PM, Tami Williams wrote:

> My brain's not working -
>
> How does this stop a member of the public from loading the page in their browser and having the script run?
>
>
> On Sep 7, 2010, at 1:47 PM, Brian Loomis wrote:
>
>> I believe Lasso then translates this into the http://username:password@.../script.lasso for curl.
>>
>> On Sep 7, 2010, at 11:40 AM, Jonathan Guthrie wrote:
>>
>>> Doug's correct, require a username and password and you supply that from the Site Admin.
>>>
>>>
>>>
>>>
>>> On 2010-09-07, at 1:34 PM, Doug Gentry wrote:
>>>
>>>> You're talking about scheduled events, right?  I think there is a way you can store/pass along authentication when the event runs. So, though I haven't used it I would imagine you could add an [auth] or one of the other authentication prompts to the page, which the event scheduler would be able to respond to.
>>>>
>>>> ...Doug Gentry
>>>>
>>>> On Sep 7, 2010, at 10:31 AM, Tami Williams wrote:
>>>>
>>>>> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>>>>>
>>>>> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>>>>>
>>>>> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>>>>>
>>>>> what other things have people done?
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>>
>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>> "It's better to burn out than to fade away."
>>>>>
>>>>> Tami Williams
>>>>> Creative Computing
>>>>> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
>>>>> Lasso, MySQL and FileMaker specialists.
>>>>>
>>>>> Tel: 770.457.3221
>>>>> Fax: 770.454.7419
>>>>> E-Mail: [hidden email]
>>>>> Web: http://www.asktami.com/
>>>>> LinkedIn: http://www.linkedin.com/in/asktami
>>>>> Twitter: http://twitter.com/asktami
>>>>> iChat/AIM/Skype: tamiwilliamsusa
>>>>>
>>>>> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>>>>>
>>>>> ------
>>>>>
>>>>> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>>>
>>>>>
>>>>> #############################################################
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list <[hidden email]>.
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>
>>>>
>>>> ---
>>>> Doug Gentry
>>>> Dynapolis & Southern Oregon University
>>>> p:  541-261-8501 / Toll Free: 866-890-6013
>>>> [hidden email]
>>>> www.dynapolis.com - blog: www.plain-sense.com
>>>>
>>>>
>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list <[hidden email]>.
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>> Jonathan Guthrie
>>> R&D
>>>
>>> Treefrog Interactive Inc.
>>> www.treefrog.ca
>>> [hidden email]
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>> To switch to the INDEX mode, E-mail to <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Marc Vos
In reply to this post by Tami Williams-3
The public can only run the script when auth_<something> is satisfied; which means that they cannot run the page without the correct username and password.

- -
Marc

Sent from my iPhone

On 7 sep. 2010, at 23:26, Tami Williams <[hidden email]> wrote:

> How does this stop a member of the public from loading the page in their browser and having the script run?
>
>
> On Sep 7, 2010, at 5:12 PM, Marc Vos wrote:
>
>> I add auth_<something> to the page, and provide the username/password in the 'schedule event'-page.
>>
>> - -
>> Marc
>>
>> On 7 sep 2010, at 19:31, Tami Williams wrote:
>>
>>> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>>>
>>> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>>>
>>> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>>>
>>> what other things have people done?
>>>
>>> Thanks in advance.
>>>
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> "It's better to burn out than to fade away."
>>>
>>> Tami Williams
>>> Creative Computing
>>> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
>>> Lasso, MySQL and FileMaker specialists.
>>>
>>> Tel: 770.457.3221
>>> Fax: 770.454.7419
>>> E-Mail: [hidden email]
>>> Web: http://www.asktami.com/
>>> LinkedIn: http://www.linkedin.com/in/asktami
>>> Twitter: http://twitter.com/asktami
>>> iChat/AIM/Skype: tamiwilliamsusa
>>>
>>> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>>>
>>> ------
>>>
>>> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>> To switch to the INDEX mode, E-mail to <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

stevepiercy
In reply to this post by Tami Williams-3
As Doug said earlier, put one of the [auth] tags in the file that is requested.
http://reference.lassosoft.com/Reference.LassoApp?[Auth_User]

--steve


On 9/7/10 at 5:26 PM, [hidden email] (Tami Williams) pronounced:

> My brain's not working -
>
> How does this stop a member of the public from loading the page in their browser and
> having the script run?
>
>
> On Sep 7, 2010, at 1:47 PM, Brian Loomis wrote:
>
> >I believe Lasso then translates this into the
> >http://username:password@.../script.lasso for curl.
> >
> >On Sep 7, 2010, at 11:40 AM, Jonathan Guthrie wrote:
> >
> >>Doug's correct, require a username and password and you supply
> >>that from the Site Admin.
> >>
> >>
> >>
> >>
> >>On 2010-09-07, at 1:34 PM, Doug Gentry wrote:
> >>
> >>>You're talking about scheduled events, right?  I think there
> >>>is a way you can store/pass along authentication when the
> >>>event runs. So, though I haven't used it I would imagine you
> >>>could add an [auth] or one of the other authentication
> >>>prompts to the page, which the event scheduler would be able
> >>>to respond to.
> >>>
> >>>...Doug Gentry
> >>>
> >>>On Sep 7, 2010, at 10:31 AM, Tami Williams wrote:
> >>>
> >>>>I'm curious - how do you "protect" your lasso scheduled
> >>>>scripts from being run by whomever?
> >>>>
> >>>>If the script is a .lasso page on the server and Lasso Site
> >>>>Admin was used to set up the schedule, what do you do to
> >>>>'lock' it down?
> >>>>
> >>>>Besides adding a conditional to the page so that if its
> >>>>being called by any IP other that the Lasso server machine
> >>>>it does NOT run - ie. only run when called by the Lasso
> >>>>server machine,
> >>>>
> >>>>what other things have people done?
> >>>>
> >>>>Thanks in advance.
> >>>>
> >>>>
> >>>>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>>>"It's better to burn out than to fade away."
> >>>>
> >>>>Tami Williams
> >>>>Creative Computing
> >>>>Let us help you make frustrating, costly, and inefficient
> >>>>processes more efficient, less costly and scalable.
> >>>>Lasso, MySQL and FileMaker specialists.
> >>>>
> >>>>Tel: 770.457.3221
> >>>>Fax: 770.454.7419
> >>>>E-Mail: [hidden email]
> >>>>Web: http://www.asktami.com/
> >>>>LinkedIn: http://www.linkedin.com/in/asktami
> >>>>Twitter: http://twitter.com/asktami
> >>>>iChat/AIM/Skype: tamiwilliamsusa
> >>>>
> >>>>FileMaker Solutions Alliance Associate | Lasso Professional
> >>>>Alliance Member
> >>>>
> >>>>------
> >>>>
> >>>>If you want to receive sporadic email from Creative
> >>>>Computing regarding news at the company and announcements
> >>>>about upcoming Lasso webinars and online classes, please
> >>>>opt-in at http://tinyurl.com/yj7eqlg
> >>>>
> >>>>
> >>>>#############################################################
> >>>>This message is sent to you because you are subscribed to
> >>>>the mailing list <[hidden email]>.
> >>>>To unsubscribe, E-mail to: <[hidden email]>
> >>>>To switch to the DIGEST mode, E-mail to <[hidden email]>
> >>>>To switch to the INDEX mode, E-mail to <[hidden email]>
> >>>>Send administrative queries to  <[hidden email]>
> >>>>
> >>>
> >>>
> >>>---
> >>>Doug Gentry
> >>>Dynapolis & Southern Oregon University
> >>>p:  541-261-8501 / Toll Free: 866-890-6013
> >>>[hidden email]
> >>>www.dynapolis.com - blog: www.plain-sense.com
> >>>
> >>>
> >>>
> >>>
> >>>#############################################################
> >>>This message is sent to you because you are subscribed to
> >>>the mailing list <[hidden email]>.
> >>>To unsubscribe, E-mail to: <[hidden email]>
> >>>To switch to the DIGEST mode, E-mail to <[hidden email]>
> >>>To switch to the INDEX mode, E-mail to <[hidden email]>
> >>>Send administrative queries to  <[hidden email]>
> >>>
> >>
> >>Jonathan Guthrie
> >>R&D
> >>
> >>Treefrog Interactive Inc.
> >>www.treefrog.ca
> >>[hidden email]
> >>
> >>
> >>#############################################################
> >>This message is sent to you because you are subscribed to
> >>the mailing list <[hidden email]>.
> >>To unsubscribe, E-mail to: <[hidden email]>
> >>To switch to the DIGEST mode, E-mail to <[hidden email]>
> >>To switch to the INDEX mode, E-mail to <[hidden email]>
> >>Send administrative queries to  <[hidden email]>
> >>
> >
> >
> >#############################################################
> >This message is sent to you because you are subscribed to
> > the mailing list <[hidden email]>.
> >To unsubscribe, E-mail to: <[hidden email]>
> >To switch to the DIGEST mode, E-mail to <[hidden email]>
> >To switch to the INDEX mode, E-mail to <[hidden email]>
> >Send administrative queries to  <[hidden email]>
> >
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Bil Corry-3
In reply to this post by Marc Vos
[auth_custom] is easiest for this.

- Bil

Marc Vos wrote on 9/7/2010 2:31 PM:

> The public can only run the script when auth_<something> is satisfied; which means that they cannot run the page without the correct username and password.
>
> - -
> Marc
>
> Sent from my iPhone
>
> On 7 sep. 2010, at 23:26, Tami Williams <[hidden email]> wrote:
>
>> How does this stop a member of the public from loading the page in their browser and having the script run?
>>
>>
>> On Sep 7, 2010, at 5:12 PM, Marc Vos wrote:
>>
>>> I add auth_<something> to the page, and provide the username/password in the 'schedule event'-page.
>>>
>>> - -
>>> Marc
>>>
>>> On 7 sep 2010, at 19:31, Tami Williams wrote:
>>>
>>>> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>>>>
>>>> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>>>>
>>>> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>>>>
>>>> what other things have people done?
>>>>
>>>> Thanks in advance.


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Tami Williams-3
In reply to this post by Marc Vos
Meaning that the person sitting in front of the browser gets a dialog  
asking for the username and password but when the script runs from  
inside the Lasso scheduler it just works (no prompts)?  What happens  
when the page is run by Lasso (vs. being invoked by someone via their  
browser)?



On Sep 7, 2010, at 5:31 PM, Marc Vos wrote:

> The public can only run the script when auth_<something> is  
> satisfied; which means that they cannot run the page without the  
> correct username and password.
>
> - -
> Marc
>
> Sent from my iPhone
>
> On 7 sep. 2010, at 23:26, Tami Williams <[hidden email]> wrote:
>
>> How does this stop a member of the public from loading the page in  
>> their browser and having the script run?
>>
>>
>> On Sep 7, 2010, at 5:12 PM, Marc Vos wrote:
>>
>>> I add auth_<something> to the page, and provide the username/
>>> password in the 'schedule event'-page.
>>>
>>> - -
>>> Marc
>>>
>>> On 7 sep 2010, at 19:31, Tami Williams wrote:
>>>
>>>> I'm curious - how do you "protect" your lasso scheduled scripts  
>>>> from being run by whomever?
>>>>
>>>> If the script is a .lasso page on the server and Lasso Site Admin  
>>>> was used to set up the schedule, what do you do to 'lock' it down?
>>>>
>>>> Besides adding a conditional to the page so that if its being  
>>>> called by any IP other that the Lasso server machine it does NOT  
>>>> run - ie. only run when called by the Lasso server machine,
>>>>
>>>> what other things have people done?
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> "It's better to burn out than to fade away."
>>>>
>>>> Tami Williams
>>>> Creative Computing
>>>> Let us help you make frustrating, costly, and inefficient  
>>>> processes more efficient, less costly and scalable.
>>>> Lasso, MySQL and FileMaker specialists.
>>>>
>>>> Tel: 770.457.3221
>>>> Fax: 770.454.7419
>>>> E-Mail: [hidden email]
>>>> Web: http://www.asktami.com/
>>>> LinkedIn: http://www.linkedin.com/in/asktami
>>>> Twitter: http://twitter.com/asktami
>>>> iChat/AIM/Skype: tamiwilliamsusa
>>>>
>>>> FileMaker Solutions Alliance Associate | Lasso Professional  
>>>> Alliance Member
>>>>
>>>> ------
>>>>
>>>> If you want to receive sporadic email from Creative Computing  
>>>> regarding news at the company and announcements about upcoming  
>>>> Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list <[hidden email]>.
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>>> >
>>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>>> >
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>> >
>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>> >
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]
>> >
>> To switch to the INDEX mode, E-mail to <[hidden email]
>> >
>> Send administrative queries to  <[hidden email]>
>>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]
> >
> To switch to the INDEX mode, E-mail to <[hidden email]
> >
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Doug Gentry-2
I think of the scheduler like a robot working a web browser.  The page you have scheduled to run includes one of the [auth] tags - which requires successful authentication before the rest of the script is run - i.e. [auth] is early in the page - above the other Lasso action.  If a real person requests the page, everything is put on hold until the user successfully authenticates.  The event scheduler is just like a user, only you will have supplied it with a username and password. When the scheduled page is run, the scheduler responds (sort of) with the un/pw and the action is allowed to continue.  If a user tried to load the page and could not authenticate, nothing would happen.

Caveat - as I mentioned in my first post I haven't had to do this with my events, for unimportant reasons. So this is just my best reasoning on the process.

...Doug


On Sep 7, 2010, at 4:30 PM, Tami Williams wrote:

> Meaning that the person sitting in front of the browser gets a dialog asking for the username and password but when the script runs from inside the Lasso scheduler it just works (no prompts)?  What happens when the page is run by Lasso (vs. being invoked by someone via their browser)?
>
>
>
> On Sep 7, 2010, at 5:31 PM, Marc Vos wrote:
>
>> The public can only run the script when auth_<something> is satisfied; which means that they cannot run the page without the correct username and password.
>>
>> - -
>> Marc
>>
>> Sent from my iPhone
>>
>> On 7 sep. 2010, at 23:26, Tami Williams <[hidden email]> wrote:
>>
>>> How does this stop a member of the public from loading the page in their browser and having the script run?
>>>
>>>
>>> On Sep 7, 2010, at 5:12 PM, Marc Vos wrote:
>>>
>>>> I add auth_<something> to the page, and provide the username/password in the 'schedule event'-page.
>>>>
>>>> - -
>>>> Marc
>>>>
>>>> On 7 sep 2010, at 19:31, Tami Williams wrote:
>>>>
>>>>> I'm curious - how do you "protect" your lasso scheduled scripts from being run by whomever?
>>>>>
>>>>> If the script is a .lasso page on the server and Lasso Site Admin was used to set up the schedule, what do you do to 'lock' it down?
>>>>>
>>>>> Besides adding a conditional to the page so that if its being called by any IP other that the Lasso server machine it does NOT run - ie. only run when called by the Lasso server machine,
>>>>>
>>>>> what other things have people done?
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>>
>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>> "It's better to burn out than to fade away."
>>>>>
>>>>> Tami Williams
>>>>> Creative Computing
>>>>> Let us help you make frustrating, costly, and inefficient processes more efficient, less costly and scalable.
>>>>> Lasso, MySQL and FileMaker specialists.
>>>>>
>>>>> Tel: 770.457.3221
>>>>> Fax: 770.454.7419
>>>>> E-Mail: [hidden email]
>>>>> Web: http://www.asktami.com/
>>>>> LinkedIn: http://www.linkedin.com/in/asktami
>>>>> Twitter: http://twitter.com/asktami
>>>>> iChat/AIM/Skype: tamiwilliamsusa
>>>>>
>>>>> FileMaker Solutions Alliance Associate | Lasso Professional Alliance Member
>>>>>
>>>>> ------
>>>>>
>>>>> If you want to receive sporadic email from Creative Computing regarding news at the company and announcements about upcoming Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>>>
>>>>>
>>>>> #############################################################
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list <[hidden email]>.
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>>>> Send administrative queries to  <[hidden email]>
>>>>>
>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list <[hidden email]>.
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>>> To switch to the INDEX mode, E-mail to <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]>
>> To switch to the INDEX mode, E-mail to <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]>
> To switch to the INDEX mode, E-mail to <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


---
Doug Gentry
Dynapolis & Southern Oregon University
p:  541-261-8501 / Toll Free: 866-890-6013
[hidden email]
www.dynapolis.com - blog: www.plain-sense.com




#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: security on lasso scheduled scripts

Tami Williams-3
In reply to this post by Tami Williams-3
For the archives for others looking for the answer:

Here's what I've tested - with a page that sends an email.

1. works if I just schedule an event withOUT any [auth] tag, etc.

2. using [auth] tag at top of page, and in Lasso Site Admin -> Utility  
-> Events (where you schedule the script) entered a username and  
password of one of the users that was set up in Lasso Setup ->  
Security ->  Users.
RESULT = WORKS.

Note:  it looks like the schedule didn't actually run at the time  
scheduled but instead it ran 12 minutes late.  But it did run.


On Sep 7, 2010, at 7:43 PM, Doug Gentry wrote:

> I think of the scheduler like a robot working a web browser.  The  
> page you have scheduled to run includes one of the [auth] tags -  
> which requires successful authentication before the rest of the  
> script is run - i.e. [auth] is early in the page - above the other  
> Lasso action.  If a real person requests the page, everything is put  
> on hold until the user successfully authenticates.  The event  
> scheduler is just like a user, only you will have supplied it with a  
> username and password. When the scheduled page is run, the scheduler  
> responds (sort of) with the un/pw and the action is allowed to  
> continue.  If a user tried to load the page and could not  
> authenticate, nothing would happen.
>
> Caveat - as I mentioned in my first post I haven't had to do this  
> with my events, for unimportant reasons. So this is just my best  
> reasoning on the process.
>
> ...Doug
>
>
> On Sep 7, 2010, at 4:30 PM, Tami Williams wrote:
>
>> Meaning that the person sitting in front of the browser gets a  
>> dialog asking for the username and password but when the script  
>> runs from inside the Lasso scheduler it just works (no prompts)?  
>> What happens when the page is run by Lasso (vs. being invoked by  
>> someone via their browser)?
>>
>>
>>
>> On Sep 7, 2010, at 5:31 PM, Marc Vos wrote:
>>
>>> The public can only run the script when auth_<something> is  
>>> satisfied; which means that they cannot run the page without the  
>>> correct username and password.
>>>
>>> - -
>>> Marc
>>>
>>> Sent from my iPhone
>>>
>>> On 7 sep. 2010, at 23:26, Tami Williams <[hidden email]> wrote:
>>>
>>>> How does this stop a member of the public from loading the page  
>>>> in their browser and having the script run?
>>>>
>>>>
>>>> On Sep 7, 2010, at 5:12 PM, Marc Vos wrote:
>>>>
>>>>> I add auth_<something> to the page, and provide the username/
>>>>> password in the 'schedule event'-page.
>>>>>
>>>>> - -
>>>>> Marc
>>>>>
>>>>> On 7 sep 2010, at 19:31, Tami Williams wrote:
>>>>>
>>>>>> I'm curious - how do you "protect" your lasso scheduled scripts  
>>>>>> from being run by whomever?
>>>>>>
>>>>>> If the script is a .lasso page on the server and Lasso Site  
>>>>>> Admin was used to set up the schedule, what do you do to 'lock'  
>>>>>> it down?
>>>>>>
>>>>>> Besides adding a conditional to the page so that if its being  
>>>>>> called by any IP other that the Lasso server machine it does  
>>>>>> NOT run - ie. only run when called by the Lasso server machine,
>>>>>>
>>>>>> what other things have people done?
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>>
>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>> "It's better to burn out than to fade away."
>>>>>>
>>>>>> Tami Williams
>>>>>> Creative Computing
>>>>>> Let us help you make frustrating, costly, and inefficient  
>>>>>> processes more efficient, less costly and scalable.
>>>>>> Lasso, MySQL and FileMaker specialists.
>>>>>>
>>>>>> Tel: 770.457.3221
>>>>>> Fax: 770.454.7419
>>>>>> E-Mail: [hidden email]
>>>>>> Web: http://www.asktami.com/
>>>>>> LinkedIn: http://www.linkedin.com/in/asktami
>>>>>> Twitter: http://twitter.com/asktami
>>>>>> iChat/AIM/Skype: tamiwilliamsusa
>>>>>>
>>>>>> FileMaker Solutions Alliance Associate | Lasso Professional  
>>>>>> Alliance Member
>>>>>>
>>>>>> ------
>>>>>>
>>>>>> If you want to receive sporadic email from Creative Computing  
>>>>>> regarding news at the company and announcements about upcoming  
>>>>>> Lasso webinars and online classes, please opt-in at http://tinyurl.com/yj7eqlg
>>>>>>
>>>>>>
>>>>>> #############################################################
>>>>>> This message is sent to you because you are subscribed to
>>>>>> the mailing list <[hidden email]>.
>>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>>>>> >
>>>>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>>>>> >
>>>>>> Send administrative queries to  <[hidden email]
>>>>>> >
>>>>>>
>>>>>
>>>>>
>>>>> #############################################################
>>>>> This message is sent to you because you are subscribed to
>>>>> the mailing list <[hidden email]>.
>>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>>>> >
>>>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>>>> >
>>>>> Send administrative queries to  <lasso-
>>>>> [hidden email]>
>>>>>
>>>>
>>>>
>>>> #############################################################
>>>> This message is sent to you because you are subscribed to
>>>> the mailing list <[hidden email]>.
>>>> To unsubscribe, E-mail to: <[hidden email]>
>>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>>> >
>>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>>> >
>>>> Send administrative queries to  <[hidden email]>
>>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list <[hidden email]>.
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> To switch to the DIGEST mode, E-mail to <[hidden email]
>>> >
>>> To switch to the INDEX mode, E-mail to <[hidden email]
>>> >
>>> Send administrative queries to  <[hidden email]>
>>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list <[hidden email]>.
>> To unsubscribe, E-mail to: <[hidden email]>
>> To switch to the DIGEST mode, E-mail to <[hidden email]
>> >
>> To switch to the INDEX mode, E-mail to <[hidden email]
>> >
>> Send administrative queries to  <[hidden email]>
>>
>
>
> ---
> Doug Gentry
> Dynapolis & Southern Oregon University
> p:  541-261-8501 / Toll Free: 866-890-6013
> [hidden email]
> www.dynapolis.com - blog: www.plain-sense.com
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <[hidden email]>.
> To unsubscribe, E-mail to: <[hidden email]>
> To switch to the DIGEST mode, E-mail to <[hidden email]
> >
> To switch to the INDEX mode, E-mail to <[hidden email]
> >
> Send administrative queries to  <[hidden email]>
>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <[hidden email]>.
To unsubscribe, E-mail to: <[hidden email]>
To switch to the DIGEST mode, E-mail to <[hidden email]>
To switch to the INDEX mode, E-mail to <[hidden email]>
Send administrative queries to  <[hidden email]>