Encryption of Form Parameters

 

Documentation home

 

This feature allows the values that are passed into a form as parameters to be secured by adding an additional encrypted field. For example, to pass a customer id into a form, you might build a URL as follows.

 

www.yourdomain.com/ufs/ufsmain?formid=CUSTOMER_MAINTENANCE&CUSTOMER_ID=34567123

 

This might be passed to an end user in an email message, or invoked from a menu system as a URL. In either case, it is important that the value of customer id cannot be changed so the end user can only display and maintain their own details and cannot view or change another customer's details.

 

This is achieved in Ebase Xi by declaring that the CUSTOMER_ID is an encrypted parameter. (Encryption is an option in the field properties dialog.) The URL is then constructed using an additional parameter CUSTOMER_ID_ACCESSKEY:

 

www.yourdomain.com/ufs/ufsmain?formid=CUSTOMER_MAINTENANCE&CUSTOMER_ID=34567123&CUSTOMER_ID_ACCESSKEY=0sdfsdf7543

 

The name of the additional parameter is the parameter field name plus _ACCESSKEY. To use encrypted parameters you must generate this additional parameter and the encrypted value. The example below shows passing control to a different form with an encrypted customer id parameter:

 

FPL:

API based language (Javascript):

 

// Use the getufskey() function to encrypt the value

set ENCRYPTED_VALUE = getufskey(tostring(CUSTID));

goto form ACCESS_TEST2 CUSTOMER_ID =CUSTID, CUSTOMER_ID_ACCESSKEY= ENCRYPTED_VALUE;

 

 

var encryptedValue = EncryptionServices.encrypt(fields.CUSTID.value);

var parms = {};

parms.CUSTOMER_ID = fields.CUSTID.value;

parms.CUSTOMER_ID_ACCESSKEY = encryptedValue;

form.gotoForm("ACCESS_TEST2", parms);

 

 

 

When a form with an encrypted parameter is started, the system checks that the encrypted parameter (i.e. the field name plus _ACCESSKEY) exists and that the value is correct. If this check fails, an error is displayed to the end user. By default this error will be:

 

"A security error has occurred"

 

This message can be changed if required by changing system texts 300 and 310. These texts correspond to XXX_ACCESSKEY not found, and encryption comparison failed, respectively.

 

Changing the encryption key

This can be done from the Ebase Designer tools menu (Tools -> Maintain Security), then click on the Encryption tab. This function is only available to users with the following authorization:

 

Type:

SECADMIN

Name:

ENCRYPTION

Function:

WRITE

 

Note that function READ grants read-only access.

 

The dialog box below is displayed:

 

 

 

 

 

Installation secret key: any character string used to encrypt parameters

No. times encrypted:   number of passes through the encryption algorithm

 

CAUTION: Changing these values in an operational system will cause any active links to fail. These values should only be changed before the encryption facility is used in production.