Hi There.

I have an administration screen for the users to update their details.
the problem is that the URL looks like that:
http://mydomain.com/backOffice/user.asp?id=2

If someone will change the number 2 to 5 and will click Refresh e'll get the details of a different user.
How can it Be more secure?

Thanks!

You could use a session variable which contains the current users ID number.

Each time your admin page loads, make sure the queryString variable matches the Session variable.

Dim intUserID, intQueryID

intUserID = CInt(Session("user_id"))

'| Get the queryString vatiable.
If IsNumeric(Request.QueryString("id")) Then
intQueryID = CInt(Request.QueryString("id"))
Else
With Response
.Write("Error: The queryString ID has been tampered with.")
.Flush
.End
End With
End If

'| Compare the two.
If Not intUserID = intQueryID Then
With Response
.Write("Error: You are not authorised to be in this area.")
.Flush
.End
End With
End If

'| The rest of your ASP code goes here.


Regards,
Andrew Buntine.

In the following you could perhaps change the word username to be userid instead.

Perhaps have a login page that asks the user for his username and password. And whatever page that posts to (which could be the same page for a self posting form) tests these fields against what is in the database, sets the username and userlevel session variables accordingly, and then redirects to the proper page - i.e. back to the login page if the password is wrong (perhaps with a JavaScript popup saying wrong username/password combination) or to the main menu page if the password is correct:

Session("UserName") = objRS("UserName")
Session("UserLevel") = objRS("UserLevel")
Response.Redirect "mainmenu.asp"

Then you can use If Then's or Select Case on each page to control whether a user is allowed to actually be there and whether particular links of where a user can go actually show up.

If (Session("UserLevel") <> "Admin") And (Session("UserLevel") <> "Regular") Then
Response.Redirect "login.asp"
End If