View Single Post
  #3 (permalink)  
Old August 17th, 2009, 07:59 PM
Old Pedant Old Pedant is offline
Friend of Wrox
 
Join Date: Jun 2008
Location: Snohomish, WA, USA
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

Quote:
What you are referring to is called "security by obscurity" which is a bad thing. E.g. you think your application is safer because data is harder to guess. However, it's still open and guessable, and thus insecure.
And even if a user can't guess a different id, he/she can copy/paste *THAT* ID and pass it all around the internet for anybody and everybody to see. And then who knows what will happen?

You really should be checking the user's status, as Imar suggested. Usually, Session variables are the easiest thing to use with ASP and they are indeed pretty darned secure. As secure as the userid/pasword system that you use to login users, say.

If you are not currently requiring logins, then you will always be somewhat vulnerable. It goes with the territory.
Reply With Quote