manipulating url querystring security problem

[cammy]

Hi

I have designed a login page and update pages based on users logging in checked against a mysql database. The user is redirected using their 'id' passed in a querystring. This is unacceptable from a security point of view as I can manually change the url to gain access to any record.

I could do without having to start again with this as I'm a beginner and it takes me a while to do anything.

Is there a quick piece of code which I could add to each page which would check the value of a session variable in the database against its id and prevent access to any other id's?

Any other solutions or help would be great.

Cheers

Cammy

 

[Abraxus]

Session variables are very easy to use, and I find that they are just the right thing for situations like this as they are inaccessible to the client-side user. If you're going to use a session variable and check it against a querystring, you could probably just eliminate the querystring altogether. So a user logs in and upon validation a session variable is assigned:

Session("uservalidated") = 1
Session("useridval") = 'Whatever userid is active

You just assign those on validation, and your logout processing would clear them. On a page that requires validation for use a simple check will do it:

If Session("uservalidated")=1 Then
   'Validated area
Else
   'Redirect to login
End If

Hope this helps!

 

[Sheco]

Also if your login form uses [tt]action="post"[/tt] then at least the user's credentials will concealed inside the HTTP request instead of in the QueryString.

 

[cammy]

Thanks for your replies.

I have got it working eventually.

Missing quotation marks here and there were causing me problems due to different field types in my mysql database.

Cheers

Cammy