I have made a small web-site where login is required. I store username and password etc. in a SQL-db. Each user is given an ID, which are displayed like: mysite/customer.asp?ID=10.

So long, so good. BUT, if someone is clever enough to edit the ID to something else (when it is showing in the address-field of the browser, it is very simple to access someone elses dynamic-pages...

Does someone know how I can integrate some kind of randomness for the ID? or somewhat protect the site in any other way? I need to use ID, since several parts of the site relies on this.

regards
kurt

One way of doing this is to set a cookie to the user id when the user logs in. Then, have a condition on the page that checks that the Querystring ID matches that of the cookie...if not, redirect them to a page that warns them not to try to change the ID.....



Regards
Vince

Visit my home: www.chez-vince.com

VBScript | ASP | HTML | SQL | Oracle | Hosting