Latest Entries »

As part of our ongoing commitment to security, you may notice that “Security Enhancements” often appears in the changelog when we release new builds.

In this blog post we’ll shed some light on some of these “security enhancements” that were recently introduced in MIDAS v4.11 and v4.12.

IP Change Detection

Starting with MIDAS v4.12, If a logged in user’s IP address changes whilst they are logged in, then the system will automatically log the user account out, forcing the user to login again.

It’s rare that a user’s IP address would legitimately change mid-session, and so this additional security enhancement will not be noticed by the majority of our users.

What it does do however is strengthen user sessions against a “session hijack“. In general terms, a “session hijack” is when a malicious attacker takes over a user account by gaining access to the unique identifying token (or cookie) of an active user session.

With the new IP Change Detection implemented in MIDAS v4.12, should a user fall victim to a session hijack, the session would be immediately invalidated as the originating IP address would suddenly change from the valid user’s IP address, to the IP address of the attacker.

→ Tip: User’s IP addresses are also logged in each MIDAS system’s Recent Activity Log

Shorter Cookie Persistence

We’ve all come across website with “Remember Me” or “Keep Me Logged In” tick boxes on login screens, meaning that you don’t have to remember your username & password for the site each time you come to login. When you select this box, information is stored in a browser “cookie” and retrieved the next time you visit.

MIDAS has included a “Remember Me” tickbox on the login screen since v4.07 (September 2014). Previously, the cookie saved by your browser would persist until 1st January 2020 – some 4 years in the future!

This meant that if you were to login to MIDAS today, you could come back to the same browser in a few years time, and still login without needing to remember your credentials.

We felt this was a little too long for your browser to be retaining such data, and as such from MIDAS v4.12 the “Remember Me” option will only remember your details for a period of 90. If you do not login to MIDAS again within that period, you’ll have to manually enter your email address/password again.

Why is this better? Well, it ensures that “dormant” user accounts (i.e. accounts not logged into for over 90 days) don’t have lingering login details persisting in client-side cookies.

→ Tip: MIDAS Administrators can choose to disable the “Remember Me” option completely (via MIDAS Admin Options → Manage MIDAS → Security)

Improved Session Control

In MIDAS v4.11, we introduced a new security setting (MIDAS Admin Options → Manage MIDAS → Security → Session Control) to automatically log out any users that have remained logged in for more than a set number of hours.

This is different to existing “inactivity” logout setting, which causes users to be logged off after a period of no activity. The additional “Always force logout after…” setting will automatically log users off after a set period of time, regardless if they are “active” or not.

Why is this useful? Well, web browser extensions/addons exist which allow you to “reload” a web page (or part of a web page) on a recurring interval. This could potentially allow a user account to remain logged in indefinitely, even if the “Inactivity forces logout after…” setting was set.

For example, if “Inactivity forces logout after…” setting in MIDAS was set to “1 hour”, then usually 1 hour after a user’s last interaction with MIDAS, they will be automatically logged off. However, if an addon/extension were setup to “reload” part of MIDAS every 30 minutes, this would look like “user activity” to MIDAS, and so the account would never be automatically logged out.

To combat this, the new additional “Always force logout after…” setting was introduced for v4.11. If your business usually runs 9am-5pm, you could set this setting to 8 hours. This will mean that no user account can remained logged in for more than 8 hours in total. So if a user was to login at 9am and use a browser addon/extension to effectively remain logged in all day, they will still be automatically logged out of MIDAS at 5pm.

New Session Manager

MIDAS can be configured to allow concurrent logins to user accounts from multiple browsers/devices. When enabled, this would allow a user to be logged into MIDAS from their laptop, phone, and tablet all at the same time.

MIDAS v4.11 introduced a new “Session Manager” allowing users to see other devices they’re currently logged in from (including IP address and browser) and remotely log each of them out!

Improved Password Change Behavior

Given that MIDAS provides the ability (if enabled) to allow multiple concurrent logins to the same user account, In v4.11 we’ve enhanced security and made it so that if a user changes their MIDAS password, then all other devices they’re currently logged into from will be automatically logged out. Previously, changing a password from one device wouldn’t take affect on other devices a user was logged into until the next time they logged in.

Cryptographically-secure Random Number Generation

MIDAS stores passwords which are SHA512 hashed and randomly “salted”. The “randomness” of this “salt” has been improved starting with v4.11. Now, if the Perl module “Math::Random::Secure” is available on the server where a MIDAS system resides, then MIDAS will utilize this module to generate Cryptographically-secure random numbers.

You might also be interested in:
Tips For Keeping Your MIDAS Secure

MIDAS v4.12 Out Now!

We’ve been actively developing our Web Based Room Booking and Resource Scheduling Software for over 10 years now!

During this time we’ve seen many competitors come and go, and numerous customers making the switch to MIDAS. We have a genuine passion for how our software helps make life easier, saving time, money, and effort for venue administrators right across the globe, and we remain extremely customer-focused.

With exciting new and improved features being added to MIDAS several times each year, we’re pleased to tell you about our latest update – v4.12 – which has just been released!

New & Improved in 4.12:

How To Get MIDAS v4.12…

→ New To MIDAS?

We are committed to keeping our pricing fair and accessible to organizations of all sizes and budgets. Unlike many of our competitors who don’t publish their prices, we’re totally upfront and transparent about our pricing structure and clearly display prices on our website.

You can view pricing, find out more, and purchase MIDAS securely at https://mid.as/purchase

→ Existing “Self Hosted” Customer?

Self-Hosted customers with ongoing Annual Support Subscriptions may update to v4.12 right now! It only takes a couple of clicks – simply log in to your MIDAS system and go to MIDAS Admin Options → Manage MIDAS → Update

→ Existing “Cloud Hosted” Customer?

Cloud-Hosted customers don’t need to do anything! – All our active Cloud-Hosted MIDAS customers were automatically updated over the weekend to this latest version of MIDAS!

Help Improve MIDAS!

We’re able to bring you exciting updates like v4.12 thanks in part to our Beta Testers – many of whom are just every day MIDAS users!

Our Beta Testers get early-access to upcoming releases to explore and provide feedback on, allowing us to make changes and address potential issues before each new version is publicly released.

We also reward Testers for their contributions with discounts against the cost of purchasing MIDAS, or which can be used against upgrades & renewals for an existing MIDAS system!

We’re always on the lookout for additional testers to help shape future versions of MIDAS. It’s free to get involved and you don’t need any previous experience.

Find out more, apply now, and help shape future MIDAS releases


If you have any questions about MIDAS, why not drop us an email, or reach out to us through social media – We’d love to hear from you!


World Backup Day 2016Today is World Backup Day, an annual event raising awareness of the importance of keeping your critical files and data regularly backed-up.

We strongly believe in the importance of regularly backing-up data you can’t afford to loose, and to that end we built in a number of backup features to our world class web-based room booking and resource scheduling software, MIDAS to do just that!

MIDAS seamlessly makes a complete and automated backup of its own database and settings upon the first successful login each and every day day. These database backups are then compressed (typical backups are less than 1MB each in size) and stored on the server where your MIDAS resides for a period of time you specify, typically up to 30 days.

To further protect your data, these automated daily backups can additionally be optionally emailed to a specified email address each day too, allowing you to retain your own “off-site” copy of your database too!

In addition to these automated backups, MIDAS also provides the ability to manually generate instant backups at any time via a one-click “Backup” button (accessed via MIDAS Admin Options → Manage MIDAS → Database → Backup Now)

Database backups (whether generated manually or automatically) can be easily and readily restored – either partially or in full – at any time via a simple restore user interface available through MIDAS Admin Options → Manage MIDAS → Database → Restore. So, should you ever wish to “roll back” your MIDAS system to an earlier point in time, or if you suffer a massive server failure and loose data, you can have your MIDAS system back up and running in next to no time!

Backup and Restore in MIDAS

For more information on the powerful backup/restore features of MIDAS, please see https://mid.as/help/manage_database_settings

For our cloud hosted customers (who don’t run MIDAS on their own infrastructure, but instead choose to have their MIDAS “hosted” by us in the “cloud”), we also take complete database backups daily, which are then stored off-site at two separate locations for a period of six months.

What’s more, we also offer an “Emergency Access” addon for our hosted customers. This optional addon allows cloud-hosted customers to access a “real-time” backup of their hosted MIDAS system in event that they are ever unable to access their primary cloud-hosted MIDAS system. These backups run on different servers, in different data centers, via different ISPs to our Primary Servers.

So, as you can see from all the above features and procedures we’ve built into our software, that we take backups very seriously! And we make it painlessly easy to ensure that your important MIDAS booking data can easily and readily be backed up and restored with the minimum of fuss!

But on World Backup Day today, whilst your MIDAS data is taken care of, why not take a moment to backup your own important personal files – your family photos, home videos, documents and emails too!? Yes, it may seem a little time consuming, but you’ll be glad you did should anything ever happen to the originals!

One of our customers recently contacted us to report a strange issue whereby booking requests made through their MIDAS scheduling system were seemingly vanishing from their system.

The “Booking Request” features of MIDAS, allow people to submit booking “requests” which then require approval by an administrator before becoming a “confirmed” booking.

There are a number of reasons why a booking request may legitimately appear to “vanish” from the system; first of all, another administrative user may have already rejected the original booking request, or the original requestor may have changed their mind and canceled their own request.

When a person makes a booking request, MIDAS automatically send them an email notification containing details of the request they’ve submitted. These email notifications also contain a “booking request cancellation link” allowing them to cancel their request if for whatever reason they’ve changed their mind before their request is approved.

Inspecting the provided “Recent Activity Log” for the customer’s MIDAS system, there was no evidence to suggest that another user had simply rejected the missing booking requests.

There was however evidence that the booking request cancellation links, contained within the notification emails sent to original requestors had been clicked.

The customer was confident that no-one had clicked these cancellation links in their emails.

Now, the “Recent Activity Log” within MIDAS is very useful – not only does it record actions performed within a MIDAS system, it also records the user who performed the action (where applicable), the time/date the action occurred, and the IP address of the device which performed the action.

This allowed us to correlate booking request cancellation link clicks with the IP addresses from which each originated.

Interestingly, the IP addresses could all be traced back to Barracuda Networks, Inc, a company offering security products, including email security and spam filters.

So what was going on?

Once upon a time spam filters could easily detect spam email messages, as spammers tended to the same domains in their spam. As a result, spam filtering software could simply scan the content of an email message, and cross-reference any links contained within against a list of known spamming domains (known as a “blacklist”).

Many spam filters still behave in this way, however, in an attempt to stay one step ahead of the spammers, some spam filtering software/services – such as those provide by Barracuda Networks, Inc, go one step further and actively “click” EVERY link in every email they scan. The purpose behind this is to analyze the content and domain every link points to.

Whilst this will most likely help reduce spam further for the recipient, it can have a number of undesired consequences for users!

For example, if the recipient subscribes to any newsletters/mailing lists which contain a one-click unsubscribe link at the bottom, they will be automatically unsubscribed simply by receiving the email itself, before they even open it – let alone click the unsubscribe link!

The same thing was happening for our customer’s booking request notification emails – the booking request cancellation links were being automatically “clicked” by the spam filtering software/services which were scanning the recipient’s email.

Balancing user convenience vs aggressive mail scanners

We’ve always believed in making things as easy as possible for users – which is why we originally made canceling booking requests as simple as a “one-click” link – click once, and your request is canceled.

However, in light of these recent issues, we’re making a small change for MIDAS v4.12. Canceling a booking request will now unfortunately be a two-step process. Clicking a booking request cancellation link in a notification email will take the requestor to a web page where they will need to then click a confirm button in order to cancel their request.

The introduction of this second confirmation step, whilst less convenient for the end-user, will at least prevent aggressive mail filtering software/services which automatically “click” every link in every email, from automatically canceling booking requests without any human interaction.

The same “two-step” behavior will also be applied for links in booking/invoice reminder emails to suppress future reminders from a MIDAS system.

In the meantime, if you’re running an earlier version of MIDAS, and notice your booking requests being automatically canceled without any intervention, please check and adjust the settings in your mail scanning/filtering software to “whitelist” email from your MIDAS system or prevent the automatic following of links within email.

The next update to our Web Based Room Booking and Resource Scheduling software MIDAS is fast approaching, and throughout March we’re giving you a first look at some of the new features and improvements you can look forward to in MIDAS v4.12..

A growing selection of templates are available and editable within MIDAS, allowing you to customize and tailor the appearance of various parts of the software, as well as printouts and emails.

Templates are constructed using a combination of common HTML code and special MIDAS variables – don’t worry if you’re not familiar with HTML, we’re produced a handy “What is HTML and how do I use it within my MIDAS templates?” guide, complete with simple examples.

MIDAS also includes a visual WYSIWYG (what-you-see-is-what-you-get) template editor where you can simply drag/drop/insert elements into your templates, rather than entering raw HTML code.

Since the introduction of templates, email templates in particular contained a special %CONTENT% variable. This variable would be automatically substituted for generated content when an email was sent. For example, here’s some simplified content for a Booking Confirmation email template in MIDAS v4.11:

Dear %CLIENT_FIRSTNAME%,
Details of your confirmed booking at %DATABASE% are as follows:
%CONTENT%
We look forward to seeing you then!

In the above template, when a booking confirmation email is sent, the variable %CLIENT_FIRSTNAME% is automatically substituted with the forename of the client the notification is to be sent to and %DATABASE% is be substituted for the name of your MIDAS database (usually your organization’s name).

The %CONTENT% variable is then replaced with details of the client’s bookings, and would include the booking fields that had been selected via MIDAS Admin Options → Manage MIDAS → Fields → Show In → Booking Confirmation.

Using the above template, the resulting email content may look like:

Dear Joe,
Details of your confirmed booking at St James are as follows:

Date/Times: 21/03/2016 @ 09:00 – 10:30
Venue: Room 1
Resources: x1 Laptop, x1 Data Projector

Date/Times: 21/03/2016 @ 09:00 – 10:30
Venue: Room 2
Resources: x4 Tables, x20 Chairs

We look forward to seeing you then!

For MIDAS v4.12, we’ve overhauled email templates to give you far greater flexibility and control over the generated content of emails. The rigid %CONTENT% variable has been replaced with more useful variables. For example, a new booking confirmation email template may now look like this:

Dear %CLIENT_FIRSTNAME%,
Details of your confirmed booking at %DATABASE% are as follows:

<bookings>
Dates/Times: %START% – %FINISH%
Venue: %VENUE%
Resources: %RESOURCES%
</bookings>

We look forward to seeing you then!

…as you can see, the original %CONTENT% variable has been replaced in v4.12 with a <bookings> … </bookings> section, in which you can add your own text and variables to customize the generated content exactly as you’d like. You can also include content from any custom booking fields you’ve added to MIDAS – for example, if you’ve created a booking field named “Test Field”, you can insert the variable %CUSTOM_TEST_FIELD% into the <bookings> … </bookings> section. (This brings email templates in line with the format of templates in our optional Digital Signage and Web Calendars addons, which have always supported <bookings> … </bookings> template sections)

We’ve also added support for a couple of new variables too; %BOOKING_COST% and %TOTAL_COST%.

%BOOKING_COST% can be added within the <bookings> … </bookings> section and will be substituted for the cost of the individual booking (including both venue and resource usage).

%TOTAL_COST% can be added anywhere in the template and will be substituted for the total cost of all the bookings listed in the email.

When editing templates via MIDAS Admin Options → Manage MIDAS → Templates, a complete list is displayed of all available variables that can be inserted into the current templates.

We believe replacing the limited %CONTENT% variable with a flexible <bookings> … </bookings> section in email notifications will give customers far greater control over the appearance and content of emails sent through MIDAS.

MIDAS v4.12 is expected to be made available to Beta Testers later this month, with a general release shortly after. We’re currently looking for additional testers to help test and provide feedback/bug reports on pre-release versions of our software. Becoming a tester is free and no experience is required, and what’s more we’ll reward you for your participation! Find out more about becoming a MIDAS Beta Tester here.

If you would like to be notified when v4.12 is fully released, then why not join our Mailing List?