Before a user can get to any personal info, they should have to log in. If authenticated, set a session variable (session_id = 23) and use that instead of URL variable.
Clear the structure when user logs out. >All, > >I have an application that passes an id value through a hyperlink >that >the user clicks on in an e-mail. The id feeds the page and extracts >information and populates the form fields with the user's information. > > >THE PROBLEM: >If a user is viewing their customized information with their user >id=23, than what would prevent them from view other people's >information by editing the id value to say, id=24? > >SOLUTIONS: ??? >1) Should I scramble the value in some long string and extract a value >from it? For example for id=23 replace it with id=ei38skdh23skdu83 and >pull 23 out of the string? >2) Set a cookie that contains the same id value and if the values >don't match kick them out to some other page? > >Any suggestions would be great. > D- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm