Solved

Problem with Access Levels using Restrict Access To Page Behavior

Posted on 2003-11-10
5
488 Views
Last Modified: 2012-06-27
First some info about my project:

I'm setting up an ecommerce site using Dreamweaver MX, ASP VBScript, and MS SQL Server 2000.  I have a shopping cart set up that requires users to create an account in order to purchase from the site.  I also have a series of administrative pages that allow the owners of the company to update product descriptions, add products, manage inventory, pricing, customer accounts, etc.

I had set up the site with 2 tables, one for the admins and one for the customers.  I thought everything was working wonderfully until I noticed a pretty big security hole -- customers could log in to the My Account part of the site, which would then set a session variable -- then if they happen to know the name of an admin page (e.g. "admin_productmanagement.asp") they could just type that in the browser and be allowed access!  Even though their customer account was in a seperate table, the fact that they had a session variable set on one part of the site granted them access to the admin part.

I figured that by using Access Levels I'd be able to solve the problem.  However, I found that they only work when everyone's in the same table.  I kept all accounts in the same table and added a field for access level in my database.  Now if a customer tries to access the page through the login screen without having the proper access level, they do get redirected to the "accessdenied.asp" page.  BUT they can still log in through the My Cart page as usual, get their session variable set, and then just type in the administrative page (again, e.g. "admin_customermaintenance.asp") and have full access.

The only other option that I could think of would be to seperate the admin part of the site to another sub-domain and pray that that would make a difference, but I'm hoping there's a better way

What am I not understanding about Dreamweaver's Access Levels?
0
Comment
Question by:saoirse1916
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:gabss
ID: 9722322
hi,

This might big stupid idea but have you on all the pages the access levels code?

because by the sound of it if you can type in the url then this code has not been added..


hope this helps

G
0
 
LVL 8

Author Comment

by:saoirse1916
ID: 9722680
Yeah, I thought of that, but I did go through and set all the admin pages to restrict based on access level.  The admin login page does block users with the incorrect access level, but if they log in through the regular customer "My Cart" page, they can get into the admin side by bypassing the admin login page.
0
 
LVL 23

Accepted Solution

by:
adilkhan earned 350 total points
ID: 9723096
saoirse1916, for the customers and Admin you have Two unique Session's?

when customer log's in you create a customer based session
session("Customer")
and when the Admin logs in test the admin session

on Admin.asp
if session("admin") <> "" then

' process

else

' invalid

end if
0
 
LVL 23

Expert Comment

by:adilkhan
ID: 9723115
now Generate the Admin Session as soon as the ADMIN logs in.

and when Customer Logs in, Generate the Customer Session, and set the Admin Session to Blank or nothing for Security Reasons.
0
 
LVL 8

Author Comment

by:saoirse1916
ID: 9726853
I ended up figuring it out -- I just needed to tell the Customer Login to use an Access Level which then prevents the customers from gaining access to the admin pages.  I did try your method as well adikhan and that works too, but since I'm a bit on the lazy side, I just used DW's built in behavior.  Thanks for the tip though!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
CSS HTML Text Alignment 13 416
Renaming file after uploading in Coldfusion 4 205
Video Not Showing 8 91
Dreamweaver server behavior gone 6 73
For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
Adobe Dreamweaver CS5 is a WYSIWYG web page editor that has advanced HTML, CSS, and Javascript rendering functionality and is probably the most well-known HTML editor available. Much of Dreamweaver's appeal centers around the Design View interfac…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now