On Fri, 12 Sep 2003, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: > All, > > I have an application that passes an id value through a hyperlink that > the user clicks on in an e-mail. The id feeds the page and extracts information and > populates the form fields with the user's information. > > THE PROBLEM: > If a user is viewing their customized information with their user id=23, than what > would prevent them from view other people's information by editing the id value to > say, id=24?
Nothing would stop them from altering it. One way to prevent this is to create a session and then set a sesion variable with their user id (this would be accessed via #SESSION.userid# for example) The benefit to this is, while they could alter the URL, it is quite a bit harder to forge a session correctly (since it uses the CFID and CFTOKEN, in addition to the variable stored in the SESSION scope). Jason ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Get the mailserver that powers this list at http://www.coolfusion.com
