Hi: I have a question. I need to check if a user is the one who has permission to a certain action. His role is stored in the database, for example user.isStudent. The whole student object is stored in the session after he logs in successfully . From that point on, every time he sends a request that invokes an action , I need to verify if this student is who he claims he is. I could include a hidden field for example, his email in every page I send back to him and get this property back to verify who he is. I was wondering if this approach is problematic since he could manipulate the hidden field. Any better solutions to that? Thanks a lot!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
