 How to keep records private
I have set up a system for users to log on and amend their profiles. For various reason the best way to call their record up is like so www.anyoldsite.com/profile.asp?username=user123 It works of course the recordset looks for the username field within the URL and passes the browser through to his/her page. Great. They amend, upload, save and all shows online and is searchable. Great! However......
... any enterprising user with time on his/her hands could soon discover that user123 in the address bar could be substituted for (say) user124 and hey presto - because he/she is already authenticated via user123 he/she has access to user124 too. The authentication script is as follows
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers=""
MM_authFailedURL="signin.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
(InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
MM_grantAccess = true
End If
End If
If Not MM_grantAccess Then
MM_qsChar = "?"
If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
MM_referrer = Request.ServerVariables("URL")
if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
Response.Redirect(MM_authFailedURL)
End If
%>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
How can I alter that to restrict user to their record only? Started By Jockrock on Oct 9, 2009 at 5:17:52 AM | 
