Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Problem with Access Levels using Restrict Access To Page Behavior

Posted on 2003-11-10
5
Medium Priority
?
495 Views
Last Modified: 2012-06-27
First some info about my project:

I'm setting up an ecommerce site using Dreamweaver MX, ASP VBScript, and MS SQL Server 2000.  I have a shopping cart set up that requires users to create an account in order to purchase from the site.  I also have a series of administrative pages that allow the owners of the company to update product descriptions, add products, manage inventory, pricing, customer accounts, etc.

I had set up the site with 2 tables, one for the admins and one for the customers.  I thought everything was working wonderfully until I noticed a pretty big security hole -- customers could log in to the My Account part of the site, which would then set a session variable -- then if they happen to know the name of an admin page (e.g. "admin_productmanagement.asp") they could just type that in the browser and be allowed access!  Even though their customer account was in a seperate table, the fact that they had a session variable set on one part of the site granted them access to the admin part.

I figured that by using Access Levels I'd be able to solve the problem.  However, I found that they only work when everyone's in the same table.  I kept all accounts in the same table and added a field for access level in my database.  Now if a customer tries to access the page through the login screen without having the proper access level, they do get redirected to the "accessdenied.asp" page.  BUT they can still log in through the My Cart page as usual, get their session variable set, and then just type in the administrative page (again, e.g. "admin_customermaintenance.asp") and have full access.

The only other option that I could think of would be to seperate the admin part of the site to another sub-domain and pray that that would make a difference, but I'm hoping there's a better way

What am I not understanding about Dreamweaver's Access Levels?
0
Comment
Question by:saoirse1916
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:gabss
ID: 9722322
hi,

This might big stupid idea but have you on all the pages the access levels code?

because by the sound of it if you can type in the url then this code has not been added..


hope this helps

G
0
 
LVL 8

Author Comment

by:saoirse1916
ID: 9722680
Yeah, I thought of that, but I did go through and set all the admin pages to restrict based on access level.  The admin login page does block users with the incorrect access level, but if they log in through the regular customer "My Cart" page, they can get into the admin side by bypassing the admin login page.
0
 
LVL 23

Accepted Solution

by:
Saqib Khan earned 1400 total points
ID: 9723096
saoirse1916, for the customers and Admin you have Two unique Session's?

when customer log's in you create a customer based session
session("Customer")
and when the Admin logs in test the admin session

on Admin.asp
if session("admin") <> "" then

' process

else

' invalid

end if
0
 
LVL 23

Expert Comment

by:Saqib Khan
ID: 9723115
now Generate the Admin Session as soon as the ADMIN logs in.

and when Customer Logs in, Generate the Customer Session, and set the Admin Session to Blank or nothing for Security Reasons.
0
 
LVL 8

Author Comment

by:saoirse1916
ID: 9726853
I ended up figuring it out -- I just needed to tell the Customer Login to use an Access Level which then prevents the customers from gaining access to the admin pages.  I did try your method as well adikhan and that works too, but since I'm a bit on the lazy side, I just used DW's built in behavior.  Thanks for the tip though!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
This article is very specific and is only intended to help if you are installing Dreamweaver 8 in a Windows 7 environment with Office 2007 installed.   I'm not sure why Microsoft tends to release OS' that should not be released but they do.  Windows…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question