View Single Post
  #5 (permalink)  
Old September 7th, 2003, 06:32 AM
lucian lucian is offline
Authorized User
Join Date: Jun 2003
Location: Dublin, , Ireland.
Posts: 65
Thanks: 0
Thanked 0 Times in 0 Posts

I'll tell you what happened.
Ignore the first post as the second is the one I am using at the moment.

The query is on my ssl part of the website were customers has the capabilities of checking the order status and also be able to modify they details as shipping/billing address.
Thay can only view the details, after they are loged in by going to My Account.

I have few asp pages that keeps track of what the user is doing on the website based on IP logging and I noticed that one smart ass, by changing the CustomerID in the addres bar(URL) could actually see those details as well. I wasn't expecting that from a program as Macromedia (doesn't come cheap) and never been bother to check it out myself.
I was looking at the code for "Restrict Access To Page" and I noticed that is not a big deal but actually never checked it out myself to see if you could see any orders based on changing the url.

I've had everything based on CustomerID & OrderID query in the RS but I've changed it to session("MM_UserName") and it seems fine at the moment, but I am still worried about it.
Reply With Quote