| How to keep records private|
I have set up a system for users to log on and amend their profiles. For various reason the best way to call their record up is like so www.anyoldsite.com/profile.asp?username=user123 It works of course the recordset looks for the username field within the URL and passes the browser through to his/her page. Great. They amend, upload, save and all shows online and is searchable. Great! However......
... any enterprising user with time on his/her hands could soon discover that user123 in the address bar could be substituted for (say) user124 and hey presto - because he/she is already authenticated via user123 he/she has access to user124 too. The authentication script is as follows
' *** Restrict Access To Page: Grant or deny access to this page
If Session("MM_Username") <> "" Then
If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
MM_grantAccess = true
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL")
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
How can I alter that to restrict user to their record only?
Started By Jockrock on Oct 9, 2009 at 5:17:52 AM