Category: Tech Insight

Dedicated sub domains for cloud-hosted customers

Filed Under: News, Tech Insight, Tips and Tricks by midas — Leave a comment
September 29, 2016

We are delighted to announce the completion of our roll out of dedicated sub-domains for all our cloud hosted customers!

This follows a desire expressed by a few of our customers to be able to have their cloud-hosted MIDAS systems accessible via a dedicated sub domain.

The makeup of a URL containing a subdomain
The makeup of a URL containing a subdomain

What is a subdomain?

A subdomain is a part of a website’s domain name that comes before the main domain name, separated by a dot.

It functions as a separate website, but still shares the same primary domain name.

Think of it like an apartment within a larger building: it has its own address and entrance, but it’s still part of the overall structure.

Here’s an example:
Main domain: mid.as
Subdomain: demo.mid.as

Subdomains for new hosted customers

At the start of this year (2016) we began providing this to all new customers who chose a cloud hosted edition of MIDAS.

Let’s assume that your company was called “My Organization”. If you subscribed to a cloud-hosted edition of MIDAS in 2016, you would have been able to choose the dedicated MIDAS subdomain https://my-organization.mid.as for your hosted booking system.

However, if you purchased a cloud-hosted MIDAS system prior to 2016, you’d instead have been accessing your system via https://mid.as/my-organization.

This was before dedicated mid.as subdomains were available.

Subdomains for all hosted customers

The good news is that from today, we’ve now rolled out dedicated mid.as subdomains to all our hosted customers who purchased prior to 2016 as well!

So, if you previously accessed your hosted MIDAS system via https://mid.as/my-organization, you’ll now have the dedicated subdomain https://my-organization.mid.as. Old mid.as/my-organization URL’s will continue to work and redirect to my-organization.mid.as for some time.

If you purchased a cloud-hosted MIDAS system prior to 2016, we’d like to encourage you to update your bookmarks and links. Going forward, they should now point to your new dedicated mid.as subdomain!

There are a few things to note when updating your bookmarks/links:

  1. If your hosted MIDAS URL previously contained underscores (_), you’ll need to change these to hyphens () when updating your bookmarks and links.
    For example:
    https://mid.as/my_organization would now become https://my-organization.mid.as
  2. If your hosted MIDAS URL previously contained a domain name (other than mid.as) i.e. .co.uk, .com, etc, you’ll need to remove the end part when updating your bookmarks and links.
    For example:
    https://mid.as/myorganization.com would now become https://myorganization.mid.as
  3. If your hosted MIDAS URL previously contained any period characters (.) (other than the initial period in the primary “mid.as” domain), you’ll need to remove these when updating your bookmarks and links.
    For example:
    https://mid.as/my.organization would now become https://myorganization.mid.as

If you have any questions, or aren’t sure what the new dedicated subdomain for your hosted MIDAS system is, please don’t hesitate to contact us. Our team will be more than happy to help!

Tags: ,

Recent “Security Enhancements” in MIDAS

Filed Under: Tech Insight by midas — Leave a comment
April 19, 2016

As part of our ongoing commitment to security, you may notice that “Security Enhancements” often appears in the changelog when we release new builds.

In this blog post we’ll shed some light on some of the “security enhancements” that were recently introduced in MIDAS v4.11 and v4.12.

IP Change Detection

Starting with MIDAS v4.12, If a logged in user’s IP address changes whilst they are logged in, then the system will automatically log the user account out, forcing the user to log in again.

It’s rare that a user’s IP address would legitimately change mid-session, so this additional security enhancement will not be noticed by the majority of our users.

What it does do however is strengthen user sessions against a “session hijack“. In general terms, a “session hijack” is when a malicious attacker takes over a user account by gaining access to the unique identifying token (or cookie) of an active user session.

With the new IP Change Detection implemented in MIDAS v4.12, should a user fall victim to a session hijack, the session would be immediately invalidated as the originating IP address would suddenly change from the valid user’s IP address, to the IP address of the attacker.

→ Tip: User’s IP addresses are also logged in each MIDAS system’s Recent Activity Log

Shorter Cookie Persistence

We’ve all come across website with “Remember Me” or “Keep Me Logged In” tick boxes on login screens. These mean that you don’t have to remember your username & password for the site each time you come to log in. When you select this box, information is stored in a browser “cookie” and retrieved the next time you visit.

MIDAS has included a “Remember Me” tickbox on the login screen since v4.07 (September 2014). Previously, the cookie saved by your browser would persist until 1st January 2020 – some 4 years in the future!

This meant that if you were to log in to MIDAS today, you could come back to the same browser in a few years time, and still log in without needing to remember your credentials.

We felt this was a little too long for your browser to be retaining such data. Therefore, from MIDAS v4.12 the “Remember Me” option will only remember your details for a period of 90 days. If you don’t log in again within this period, you’ll have to manually enter your email address/password again the next time you do.

Why is this better? Well, it ensures that “dormant” user accounts (those not logged into for over 90 days) don’t have lingering login details persisting in client-side cookies.

Tip: MIDAS Administrators can choose to disable the “Remember Me” option completely. This may be done via MIDAS Admin Options → Manage MIDAS → Security

Improved Session Control

In MIDAS v4.11, we introduced a new security setting to automatically log out any users that have remained logged-in for more than a set number of hours. This setting may be found under MIDAS Admin Options → Manage MIDAS → Security → Session Control.

This is different to existing “inactivity” logout setting, which causes users to be logged off after a period of no activity. The additional “Always force logout after…” setting automatically logs users off after a set period of time, regardless if they are “active” or not.

Why is this useful? Well, browser extensions/addons exist which automatically “reload” a webpage at a recurring interval. This could potentially allow a user account to remain logged-in indefinitely, even if the “Inactivity forces logout after…” setting was set.

For example, if “Inactivity forces logout after…” setting in MIDAS was set to “1 hour”, then usually 1 hour after a user’s last interaction with MIDAS, they will be automatically logged off. However, if an addon/extension were setup to “reload” part of MIDAS every 30 minutes, this would look like “user activity” to MIDAS, and so the account would never be automatically logged out.

To combat this, the new additional “Always force logout after…” setting was introduced for v4.11. If your business usually runs 9am-5pm, you could set this setting to 8 hours. This will mean that no user account can remained logged in for more than 8 hours in total. So if a user was to log in at 9am and use a browser addon/extension to effectively remain logged in all day, they will still be automatically logged out of MIDAS at 5pm.

New Session Manager

MIDAS can be configured to allow concurrent logins to user accounts from multiple browsers/devices. When enabled, this allows a user to be concurrently logged into MIDAS from their laptop, phone, and tablet.

MIDAS v4.11 introduced a new “Session Manager“. This allows users to see other devices they’re currently logged in from. The session manager shows the IP address and browser of each session, and allows you to remotely log out!

Improved Password Change Behavior

MIDAS offers the ability to allow multiple concurrent logins to the same user account. In v4.11 we’ve enhanced this security. We’ve made it so that if a user changes their MIDAS password, all other devices they’re currently logged into from will be automatically logged out. Previously, changing a password from one device wouldn’t take effect on other devices a user was logged into until the next time they logged in.

Cryptographically-secure Random Number Generation

MIDAS stores passwords which are SHA512 hashed and randomly “salted”. The “randomness” of this “salt” has been improved starting with v4.11. Now, if the Perl module “Math::Random::Secure” is available on the server where a MIDAS system resides, MIDAS will utilize it to generate cryptographically-secure random numbers.

You might also be interested in:
Tips For Keeping Your MIDAS Secure
Tags: ,

Missing booking requests? – Your mail filters may be to blame!

Filed Under: Tech Insight by midas — Leave a comment
March 29, 2016

One of our customers recently contacted us to report a strange issue whereby booking requests made through their MIDAS scheduling system were seemingly vanishing from their system.

The “Booking Request” features of MIDAS, allow people to submit booking “requests” which then require approval by an administrator before becoming a “confirmed” booking.

There are a number of reasons why a booking request may legitimately appear to “vanish” from the system; first of all, another administrative user may have already rejected the original booking request, or the original requestor may have changed their mind and canceled their own request.

When a person makes a booking request, MIDAS automatically send them an email notification containing details of the request they’ve submitted. These email notifications also contain a “booking request cancellation link” allowing them to cancel their request if for whatever reason they’ve changed their mind before their request is approved.

Inspecting the provided “Recent Activity Log” for the customer’s MIDAS system, there was no evidence to suggest that another user had simply rejected the missing booking requests.

There was however evidence that the booking request cancellation links, contained within the notification emails sent to original requestors had been clicked.

The customer was confident that no-one had clicked these cancellation links in their emails.

Now, the “Recent Activity Log” within MIDAS is very useful – not only does it record actions performed within a MIDAS system, it also records the user who performed the action (where applicable), the time/date the action occurred, and the IP address of the device which performed the action.

This allowed us to correlate booking request cancellation link clicks with the IP addresses from which each originated.

Interestingly, the IP addresses could all be traced back to Barracuda Networks, Inc, a company offering security products, including email security and spam filters.

So what was going on?

Once upon a time spam filters could easily detect spam email messages, as spammers tended to the same domains in their spam. As a result, spam filtering software could simply scan the content of an email message, and cross-reference any links contained within against a list of known spamming domains.

Many spam filters still behave in this way, however, in an attempt to stay one step ahead of the spammers, some spam filtering software/services – such as those provide by Barracuda Networks, Inc, go one step further and actively “click” EVERY link in every email they scan. The purpose behind this is to analyze the content and domain every link points to.

Whilst this will most likely help reduce spam further for the recipient, it can have a number of undesired consequences for users!

For example, if the recipient subscribes to any newsletters/mailing lists which contain a one-click unsubscribe link at the bottom, they will be automatically unsubscribed simply by receiving the email itself, before they even open it – let alone click the unsubscribe link!

The same thing was happening for our customer’s booking request notification emails – the booking request cancellation links were being automatically “clicked” by the spam filtering software/services which were scanning the recipient’s email.

Balancing user convenience vs aggressive mail scanners

We’ve always believed in making things as easy as possible for users – which is why we originally made canceling booking requests as simple as a “one-click” link – click once, and your request is canceled.

However, in light of these recent issues, we’re making a small change for MIDAS v4.12. Canceling a booking request will now unfortunately be a two-step process. Clicking a booking request cancellation link in a notification email will take the requestor to a web page where they will need to then click a confirm button in order to cancel their request.

The introduction of this second confirmation step, whilst less convenient for the end-user, will at least prevent aggressive mail filtering software/services which automatically “click” every link in every email, from automatically canceling booking requests without any human interaction.

The same “two-step” behavior will also be applied for links in booking/invoice reminder emails to suppress future reminders from a MIDAS system.

In the meantime, if you’re running an earlier version of MIDAS, and notice your booking requests being automatically canceled without any intervention, please check and adjust the settings in your mail scanning/filtering software. You may need to add email from your MIDAS system to an “allow list”, or prevent the automatic following of links within email.

Tags: , ,

New High Resolution SVG Graphics

Filed Under: Development, Tech Insight by midas — Leave a comment
April 1, 2015

Something interesting is happening in the world of video displays. At one of end of the spectrum, mobile device screens are becoming ever smaller. However, at the other end, TV and computer screens are becoming increasingly larger. But in both cases, the actual display “resolution” is increasing exponentially. Resolution refers to the picture detail, or the number of individual “dots”, known as “pixels”. High Definition (HD) and Ultra High Definition (4K UHD) displays are fast becoming the norm.

We’ve designed MIDAS to be visually “responsive”. That means that it adapts itself to displaying on a wide range of device screen and orientations, including desktops, laptops, tablets, and mobile devices.

For MIDAS v4.09 we’re also introducing a new special “High Resolution” theme. This is ideally suited if you access MIDAS from a device with a large, high definition, screen.

So how does this “High Resolution” theme work?

Well, traditionally, images and icons within the various visual themes for MIDAS have been in JPG or PNG image formats.

These are very common, standard, image formats which have been around for years. They’re used on just about every website you’ll visit!

JPG images are traditionally used for photographic or background images. In fact, in the majority of the visual themes available for MIDAS, a .jpg image is used as the main background image. JPG images are “compressed” leading to small file sizes (and therefore faster downloading times) whilst retaining a high level of detail.

PNG images on the other hand are traditionally “lossless”, meaning they retain all the original image information without compression. They have the advantages over JPG of being higher quality and also allowing for transparency. However, they but have the disadvantage of typically being larger in size than a JPG equivalent image.

MIDAS makes use of PNG images for the various buttons and icons contained within each theme.

We carefully optimize both JPG and PNG images within the various theme packs available for MIDAS to make them as small and as quick to load as possible, without noticeably affecting image quality.

One major downside of both image formats however is that neither “scale” particularly well….

Enter SVG!

SVG stands for “Scalable Vector Graphics”. An AVG image can be scaled up without any loss of quality or blurred edges.

Here’s a good way to illustrate this using the standard “Add Bookings” PNG icon found in the default theme which ships with MIDAS:

png iconscaled png icon
The icon at normal sizeThe icon at x3 its original size

Now, let’s look at an equivalent SVG icon:

svg iconscaled svg icon
The icon at normal sizeThe icon at x3 its original size

As you can see, at its original dimensions (40 x 40 pixels) both the PNG and SVG icons look virtually the same. However, scaling both by a factor of three leaves the PNG icon looking distinctly “blurry”, whilst the SVG equivalent retains its “crispness”.

That’s why, for the benefit of users with very high resolution displays, we’ve created a “High Resolution” version of the Default theme for MIDAS v4.09 which uses SVG icons, and SVG gradient backgrounds. We’ve also made the traditional blue background image slightly less of an intense “blue” as a result of customer feedback.

Here’s an example of how the traditional “Default” theme compares with the new “High Resolution” theme in v4.09:

MIDAS v4.09 default visual theme
MIDAS v4.09 – Default Theme
MIDAS v4.09 new high resolution default visual theme
MIDAS v4.09 – “Hi Res” Default Theme
UPDATE – 22 May 2015: MIDAS v4.09 has now been released and we’re including both the Default and the Default (High Resolution) themes with this build.
If you’re running MIDAS on your own server, here’s how to Configure your server to handle SVG images so that you can take advantage of the new High Resolution theme!
Tags: ,