View Full Version : Session break, season 3

09-25-2007, 05:27 PM
well i know 2 ways to secure my pages:
1- is posting a variable with some value and in the next page check if the variable got the right value...doing it with Post and not Get of course...
on login page if the username and password is true the user got
and on the "secure" pages i'm checking if the user got "0" in the Session("admin")

well thats good but! too simple don't you think?
what will happend if some "very bad person" will build a page where he will give to him self Session("admin")=0 and link the page to my "secure" page

09-25-2007, 06:13 PM
The easiest way to secure your pages by using session variables is to use multiple session variables.

Try setting session("adminLogon") = true as well as session("admin") = 0.

That way, even if the person can guess one of your session variables, s/he may or may not be able to guess them all.

You can also check the Request.ServerVariables("HTTP_REFERER") to see if it's your logon page that is referring to your admin pages, rather than someone else's server.