Sorry if this is the wrong forum or even the wrong website, but we just found a problem with our site that has apparently existed for years. It seems that just by manually changing one number in the url that people can jump around to other users information without being logged in as them. Here is an example:

http://www.mywebsite.com/userloggedin.asp?intUser=7

Can be changed to:

http://www.mywebsite.com/userloggedin.asp?intUser=28

and the user will have access to everything of the other users.

I guess the spot in the code that tells what url to use is this: (modified)

'Response.Redirect "userloggedin.asp?intUser="& m_intUser
Response.Redirect "userloggedin.asp?intUser="& m_intUser

Is there perhaps some way to keep this all internal without showing in the URL bar or perhaps make it so that someone can't change the directories manually without logging back in? I'm sure a lot more information would be needed to give an accurate answer, but any help would be greatly appreciated as we no longer have the programmer/coder of the website with us. This is all on IIS6 and SQL 2005 for the databases and such. Thanks!

I tend to use session variables for user information so that i dont have to pass this
kind of information in the query string and so that you dont take the chance of what
problems your experiencing.

When the user logs in and are validated then do
(I would leave the original variable the same name and just add the session("") around it, this way you can do a find and replace on the
entire site and wont require you to make any major code modifications)

Session("m_intUser") = objRS("Value")

Then you dont need to pass the users value in the query string and on page
userloggedin.asp, what ever section of code uses m_intUser you can just change it to

Session("m_intUser")

This variable will stay populated as long as the session is available on the server.
Typically 20min if you dont request a new page or longer/shorter depending on if
someone has manually set it in code. There are a couple of other things that can kill
a session but wont get into them.

You can read more about sessions and how to use them here as well as how to destroy them.

http://www.w3schools.com/asp/asp_sessions.asp

Thank you for the suggestion, I'll be sure to look into it. Do I put the Session("m_intUser") = objRS("Value") part on the same page or on the page that users first login at?

* Make sure to make a copy of the page so in case you mess it up you can at least revert back to what you have now.

Youll put this code on the page where the user does the log in and you hit the database to authenticate the user.

Session("m_intUser") = objRS("Value")

only objRS("Value") will be = to the value where m_intUser is currently being set.

If i had to guess the page where you want to look is where ever you found this code at.

'Response.Redirect "userloggedin.asp?intUser="& m_intUser


Somewhere on that page you should see something like this

m_intUser = objRS("?") or similar

Change to

Session("m_IntUser") = What ever is currently there


Then somewhere on the page userloggedin.asp the value intUser is being called like

Request.QueryString("intUser")

and is either used in code just like i typed it or they have it set to a variable so it might look like

UserId = Request.QueryString("intUser")


You wont need this code any more so you can comment it out w/ a '
Then where ever that variable is used just replace it w/

Session("m_IntUser")


Let us know how it goes.

The site does already use sessions, but that doesn't seem to keep people from changing the url manually and moving around. Some of the parts you mentioned are similar to what is there. Is what you are trying to describe the code that will stop the ?intUser=28 part from showing in the URL or just setting up the sessions to work? I'm sorry for seeming so unknowledgable about this, but this isn't my area, just the only person we have to try and help right now until we can find a professional to look over the site ($$$).

You want to take the id out of the URL and instead look for id=session("USERID") where USERID is the session value you set on login. The other option if you want to leave itin the URL is simply do a comparison of your session variable with the query string value. On the page, simply look for this comparison and if it fails, do a response.redirect or prompt with an error message. Keep in mind that if your application has a lot of users, session variables reside on the server and use memory.

Your other option is to look at some sort of encryption on the value you display in there. Although a little more resource intensive it will mean that it is harder for them to just change one number and view someone elses record.

However storing is a session variable is the best long term solution.