Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
Thread: Session break, season 3
09-25-2007, 04:27 PM #1
- Join Date
- Sep 2007
- Thanked 0 Times in 0 Posts
Session break, season 3
well i know 2 ways to secure my pages:
1- is posting a variable with some value and in the next page check if the variable got the right value...doing it with Post and not Get of course...
on login page if the username and password is true the user got
and on the "secure" pages i'm checking if the user got "0" in the Session("admin")
well thats good but! too simple don't you think?
what will happend if some "very bad person" will build a page where he will give to him self Session("admin")=0 and link the page to my "secure" page
Last edited by sasha85; 09-25-2007 at 04:30 PM.
09-25-2007, 05:13 PM #2
- Join Date
- Mar 2007
- Thanked 19 Times in 19 Posts
The easiest way to secure your pages by using session variables is to use multiple session variables.
Try setting session("adminLogon") = true as well as session("admin") = 0.
That way, even if the person can guess one of your session variables, s/he may or may not be able to guess them all.
You can also check the Request.ServerVariables("HTTP_REFERER") to see if it's your logon page that is referring to your admin pages, rather than someone else's server.
HTH!To say my fate is not tied to your fate is like saying, 'Your end of the boat is sinking.' -- Hugh Downs