I just noticed something the other day on my website.
If a customer logs in to check out his order status, all works fine but if he copys the URL and changes the customerID from let say 555 to lets say 444 which is a valid customerID then he can actually see those orders as well.
I changed the RSOrders to he following code:
<%
Dim rsCustomerOrdersOrdersDetails__MMColParam
rsCustomerOrdersOrdersDetails__MMColParam = "0"
If (Session("MM_Username") <> "") Then
  rsCustomerOrdersOrdersDetails__MMColParam = Session("MM_Username")
End If
%>
<%
set rsCustomerOrdersOrdersDetails = Server.CreateObject("ADODB.Recordset")
rsCustomerOrdersOrdersDetails.ActiveConnection = MM_storeSQL_STRING
rsCustomerOrdersOrdersDetails.Source = "SELECT OrderID, OrderDate, SubTotal, ShippingCost, GrandTotal, OrderStatus, CustomerID, LastName, FirstName, CustomerEmail, BillingAddress, BillingCity, BillingStateOrProvince, BillingPostalCode, BillingCountry, BillingPhoneNumber FROM dbo.CustomerOrdersOrdersDetails WHERE CustomerEmail='" + Replace(rsCustomerOrdersOrdersDetails__MMColParam, "'", "''") + "'"
rsCustomerOrdersOrdersDetails.CursorType = 0
rsCustomerOrdersOrdersDetails.CursorLocation = 2
rsCustomerOrdersOrdersDetails.LockType = 1
rsCustomerOrdersOrdersDetails.Open()
rsCustomerOrdersOrdersDetails_numRows = 0
%>

Does anybody knows a better login process?

Hi Lucian,

It makes sense that customers can see orders from other customers as well in the current implementation. The Restrict Access to Page behavior that Dreamweaver uses does nothing more than see if a customer is logged in, or not. It doesn't distinguish between customers.

The fix, however, is easy. You should make the following changes:

1. On your login page, where you set Session("MM_Username"), also save the Customer ID in a Session variable:

   Session("MM_CustomerID") = ValueFromRecordset

You'll need to add the CustomerID column to the SQL statement so it is retrieved from the database as well.

2. Change the page where you can view the orders. You basically have two options:

  a) Redirect users when they try to view orders they are not allowed to see. I assume you have something like this to check the access:

Add the following lines to that code block:

This will disallow access to the page when the requested CusomerID does not match the current CustomerID.

  b) Change your SQL statement so it queries just the orders for the current customer: This will limit the recordset to just the orders that belong to the current customer.

If you have any questions, feel free to ask.

Cheers,

Imar







---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

What do you think about this:

<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers="CustomerID"
MM_authFailedURL="loginfailed.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
  If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthor ization"))>=1) Then
    MM_grantAccess = true
  End If
End If
If (Session("MM_CustomerID") <> Request.QueryString("CustomerID")) Then
    ' A request is made for orders that do no belong to the current customer
    MM_grantAccess = false
End If

If Not MM_grantAccess Then
  MM_qsChar = "?"
  If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
  MM_referrer = Request.ServerVariables("URL")
  if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
  MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
  Response.Redirect(MM_authFailedURL)
End If
%>
<%
Dim rsCustomer__MMColParam
rsCustomer__MMColParam = "0"
if (Session("MM_Username") <> "") then rsCustomer__MMColParam = Session("MM_Username")
%>
<%
set rsCustomer = Server.CreateObject("ADODB.Recordset")
rsCustomer.ActiveConnection = MM_storeSQL_STRING
rsCustomer.Source = "SELECT * FROM dbo.Customers WHERE CustomerEmail='" + Replace(rsCustomer__MMColParam, "'", "''") + "'"
rsCustomer.CursorType = 0
rsCustomer.CursorLocation = 2
rsCustomer.LockType = 1
rsCustomer.Open()
rsCustomer_numRows = 0
%>

I made those changes and now it does not matter what you change in the URL address bar it still shows only the session customer details or orders.

Anything to improve this code?

Hi Lucian,

Where was the original parameter from the QueryString used? I don't see any of that in your code, so I don't know exactly what went wrong.

The basic idea is that your WHERE clause uses at least two filters: a CustomerID from the Session object, and something from the QueryString, although I don't know what you are using the second parameter for. So use something like this:

WHERE SomeColumn = 'SomeValue' AND SomeOtherColumn = 'SomeOtherValue'

What exactly do you want to show to your visitors? What are they allowed to see and what not? On what parameters do you base this decision?


Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

I'll tell you what happened.
Ignore the first post as the second is the one I am using at the moment.

The query is on my ssl part of the website were customers has the capabilities of checking the order status and also be able to modify they details as shipping/billing address.
Thay can only view the details, after they are loged in by going to My Account.

I have few asp pages that keeps track of what the user is doing on the website based on IP logging and I noticed that one smart ass, by changing the CustomerID in the addres bar(URL) could actually see those details as well. I wasn't expecting that from a program as Macromedia (doesn't come cheap) and never been bother to check it out myself.
I was looking at the code for "Restrict Access To Page" and I noticed that is not a big deal but actually never checked it out myself to see if you could see any orders based on changing the url.

I've had everything based on CustomerID & OrderID query in the RS but I've changed it to session("MM_UserName") and it seems fine at the moment, but I am still worried about it.

Hi Lucian,

I don't think you can blame Dreamweaver for this. The Server Behaviors that Dreamweaver supplies deal with Authentication (whether a user is allowed to log in using valid credentials like a username and password or not), while what you are dealing with right now is about Authorization (what a user can see / do and cannot see / do once they are logged in).

Authorization is very application specific, so it's almost impossible to create Dreamweaver Server Behaviors that accommodate all possible generic situations. (You can find Dreamweaver Extensions that deal with specific authorization issues, like Shopping Carts at the Dreamweaver Extension site.)

By using Session variables, you have created a pretty secure solution. Once a user logs in, you store their User ID / Name in a Session variable and use that throughout your site. Users have no direct access to the Session variable, so it's impossible for them to change the value you have saved in that variable.

Passing sensitive information like User IDs, passwords etc through the querystring is never a good idea. Storing them in Session variables is a much more secure solution.

If your code using Session variables works fine, you shouldn't be worried. If it doesn't work, please tell me what's wrong, post some code and I'll take a look at it.

Regards,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.