There are currently no qualifying experts in Web Development

1. jason1178268,606
2. scrathcyboy219,132
3. b0lsc0tt108,762
4. hielo91,042
5. mplungjan82,475
6. rdivilbiss76,413
7. Ray_Pas...55,436
8. Kravimir40,740
9. gwkg33,800
10. TName31,800
11. RQuadling30,800
12. humeniuk28,679
13. gamebits28,528
14. ahoffmann26,875
15. Steggs26,146
16. amit_g25,200
17. shalomc25,065
18. julianmatz24,432
19. routinet23,005
20. abel23,000
21. Sheharya...21,900
22. HonorGod21,500
23. TheLearn...21,350
24. _agx_19,900
25. Onthrax19,650

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

08/09/2007 at 12:02PM PDT, ID: 22752988

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

5.6

Directory Security issue in IIS using .asp pages

Asked by gormly in Web Development, Miscellaneous Security, Visual Basic Programming

I need some help with security.

I have a website that stores all invoices in a virtual invoice folder.
Usuers cannot browse the invoices but they can substitute a number and see an invoice not meant for them.

I need to fix this and I am not sure how.

Current;y users log in on the website with a user/pass and that is checked against an access database, they are shown data that belongs to them. When they want to view an invoice, they click on a link and that lionk spawns a script that resides on the server that checks to see if the invoice they are requesting belongs to them.

The link is something like this:

www.mysite.com/getinvoice.asp?INV=999999.pdf

However, if they type
www.mysite.com/invoices/999998.pdf
they will get the invoice that doesn't belong to them regardless.

I also have to send out notices that tell members that they have new invoices and I have tio list them like so:
www.mysite.com/invoices/999997.pdf
www.mysite.com/invoices/999998.pdf
www.mysite.com/invoices/999999.pdf

that aslo can be "hacked" to show any invoice.

How can I secure this so that they are :
1. Required to go to my login page at least once during the session
2. Denied access to other invoices.

I have a script that checks for that but I do not know how to get it to fire when someone has a direct address.

HELP!

View the Solution FREE for 30 Days

20091111-EE-VQP-91 / EE_QW_1_20070628

Directory Security issue in IIS using .asp pages

Asked by gormly in Web Development, Miscellaneous Security, Visual Basic Programming

About this solution