web site security

[maswien]

Can anybody give me some advice on security of a website?

For example, there sre different kind of users for a site,
each user are granted to access a set of pages but can't access other pages, I know I can use http_referer to determine which this user came from and I know who he is,
but the draw back is that if I want those pages be secured , then all the html file need to be using .asp suffix and must all include a piece of code to detect where the user coming from (if he is from the login page, then show this page to the user, otherwise redirect to other page). Is this the best approach to achieve the requirement?

Any idea is welcome!


Thanks

 

[GaryC123]

Assuming you have some field in the db which says what level of access they have - 1,2,3 - where 1 might be all pages, 2 would be some other pages etc
So when they login set a session variable to this value e.g. session("access")
Then on the top of every page put this
<%
if instr("1,2", session("access"))=0 then response.redirect "login.asp"
%>

The numbers 1,2 are the access levels required to access the page - so just change these accordingly for each page, of course you may not want to redirect them to the login page if they are already logged in but maybe a page saying access is restricted to that page.


' allowed to access

http://www.eatdrinkandsleep.com

 

[maswien]

Thanks, GaryC123

That's definately better solution!