> -----Original Message----- > From: [EMAIL PROTECTED] [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Friday, September 12, 2003 5:53 PM > To: CF-Talk > Subject: ?id=23 > > All, > > I have an application that passes an id value through a hyperlink that > the user clicks on in an e-mail. The id feeds the page and extracts > information and populates the form fields with the user's information. > > THE PROBLEM: > If a user is viewing their customized information with their user id=23, > than what would prevent them from view other people's information by > editing the id value to say, id=24?
Nothing, apparently. ;^) > SOLUTIONS: ??? > 1) Should I scramble the value in some long string and extract a value > from it? For example for id=23 replace it with id=ei38skdh23skdu83 and > pull 23 out of the string? This is known as "security through obfuscation" and is never a good idea. Sooner or later somebody will figure it out. > 2) Set a cookie that contains the same id value and if the values don't > match kick them out to some other page? I wouldn't bother as both values are sent in the same page - it wouldn't be hard to spoof. Obviously at the front end you're doing something to ensure that the user can see ID number 23, right? I would just do that again... before you display anything run an entitlement check. If they change the number they'd be hit with a "you can't see this" message. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. http://www.cfhosting.com
