?
Solved

Problem with Access Levels using Restrict Access To Page Behavior

Posted on 2003-11-10
5
Medium Priority
?
494 Views
Last Modified: 2012-06-27
First some info about my project:

I'm setting up an ecommerce site using Dreamweaver MX, ASP VBScript, and MS SQL Server 2000.  I have a shopping cart set up that requires users to create an account in order to purchase from the site.  I also have a series of administrative pages that allow the owners of the company to update product descriptions, add products, manage inventory, pricing, customer accounts, etc.

I had set up the site with 2 tables, one for the admins and one for the customers.  I thought everything was working wonderfully until I noticed a pretty big security hole -- customers could log in to the My Account part of the site, which would then set a session variable -- then if they happen to know the name of an admin page (e.g. "admin_productmanagement.asp") they could just type that in the browser and be allowed access!  Even though their customer account was in a seperate table, the fact that they had a session variable set on one part of the site granted them access to the admin part.

I figured that by using Access Levels I'd be able to solve the problem.  However, I found that they only work when everyone's in the same table.  I kept all accounts in the same table and added a field for access level in my database.  Now if a customer tries to access the page through the login screen without having the proper access level, they do get redirected to the "accessdenied.asp" page.  BUT they can still log in through the My Cart page as usual, get their session variable set, and then just type in the administrative page (again, e.g. "admin_customermaintenance.asp") and have full access.

The only other option that I could think of would be to seperate the admin part of the site to another sub-domain and pray that that would make a difference, but I'm hoping there's a better way

What am I not understanding about Dreamweaver's Access Levels?
0
Comment
Question by:saoirse1916
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Expert Comment

by:gabss
ID: 9722322
hi,

This might big stupid idea but have you on all the pages the access levels code?

because by the sound of it if you can type in the url then this code has not been added..


hope this helps

G
0
 
LVL 8

Author Comment

by:saoirse1916
ID: 9722680
Yeah, I thought of that, but I did go through and set all the admin pages to restrict based on access level.  The admin login page does block users with the incorrect access level, but if they log in through the regular customer "My Cart" page, they can get into the admin side by bypassing the admin login page.
0
 
LVL 23

Accepted Solution

by:
Saqib Khan earned 1400 total points
ID: 9723096
saoirse1916, for the customers and Admin you have Two unique Session's?

when customer log's in you create a customer based session
session("Customer")
and when the Admin logs in test the admin session

on Admin.asp
if session("admin") <> "" then

' process

else

' invalid

end if
0
 
LVL 23

Expert Comment

by:Saqib Khan
ID: 9723115
now Generate the Admin Session as soon as the ADMIN logs in.

and when Customer Logs in, Generate the Customer Session, and set the Admin Session to Blank or nothing for Security Reasons.
0
 
LVL 8

Author Comment

by:saoirse1916
ID: 9726853
I ended up figuring it out -- I just needed to tell the Customer Login to use an Access Level which then prevents the customers from gaining access to the admin pages.  I did try your method as well adikhan and that works too, but since I'm a bit on the lazy side, I just used DW's built in behavior.  Thanks for the tip though!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those who don't know, Adobe Dreamweaver is a popular commercial web editor that enables you to design, build and manage complex websites. The editor is a WYSIWYG (What You See Is What You Get) web editor, which means that you can create your web…
Adobe Dreamweaver CS5 is a WYSIWYG web page editor that has advanced HTML, CSS, and Javascript rendering functionality and is probably the most well-known HTML editor available. Much of Dreamweaver's appeal centers around the Design View interfac…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question