Web Connection
Re: Direct Access
Messages
Reply
Edit
Delete
Dec. 21, 2012
11:15 am
3O80O48GI![Show this entire thread in new window]()
11:15 am
3O80O48GI
| From: | Potter Orr |
| To: | Stein Goering |
I manage this by creating a cursor containing the list of all those your access allows and then let the user click on a name in the grid and call the Person1 page. The fix was to look at the access code granted on login (saved in Sessions) and validate against that in the OnLoad of the Person1 page.
Seems to work properly on my test bed - production next.
Thanks Again,
Potter
Can't say for sure without seeing the code for your Person1 page (or process method if this is a classic WW page) but it seems like you're allowing the page to display without invoking a call to the authentication routines. Somewhere in there, preferably early in the page loading process, you'd want something like this (assuming you're using the built-in security routines):
IF !Process.Authenticate()RETURNENDIF
A user of my WestWind page emailed me to say that he could bypass the login process completely once he had ever logged. He sent me a screen shot that shows: myalbat.org/Person1.alb?Id=%20%2020138204 in the address bar.
I types that into the address bar from my computer and it took me straight to his page - something I never should have been able to do. What have I missed? The last 6 digits of that address is the serial number of his record and if I change that number, I can see other people too.
Potter