View Single Post
Old February 12th, 2008, 07:43 PM
Maxxim Maxxim is offline
Friend of Wrox
Join Date: Mar 2006
Location: , , Portugal.
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts

Thanks Imar!

It's a page where I see/delete the custom Logevents generated by my application!
If I use my login administrator I need to spend some time reading other stuff! It's complicated and I can't explain this very well.

quote:Originally posted by planoie
If you do not put some security mechanism on the secure page, I could simply navigate to it directly (of course I need to know what that page is). I don't need to know anything about the session variables or how to hack them. I could simply put in the URL of the supposedly "secure" page and navigate directly to it. This is Imar's point.
Now I don't understand!
Suppose that my page has one line of code with this on page_load or page_init:

if NOT session("xxx") = "yyy" then response.redirect("")

How can you enter in my page? You can try but you'll redirect at once to out of there!

But could you make one page on your server, generate/create my session var (if you know which is) and put on your page a link to mine and preserve the session var?
(I hope you understand my doubt)