On 6/28/07, Anton Pussep <[EMAIL PROTECTED]> wrote:
I cannot see a good solution for that. A permission system just to check if the user is allowed to see this ID seems to be quite an overhead to me. Whereas storing the ID in the session is not very handy and I have to take care that they are removed safely.
The rule of web applications (heck...all multi-tiered apps) is to NEVER EVER trust information sent by the client. If a user needs to have access to a particular ID, you need to check on every request....or store his 'privileges' in the session and check there. (session should timeout after period of inactivity and/or be refreshed with new privilege data when it changes) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
