Problem with Access Levels using Restrict Access To Page Behavior

First some info about my project:

I'm setting up an ecommerce site using Dreamweaver MX, ASP VBScript, and MS SQL Server 2000.  I have a shopping cart set up that requires users to create an account in order to purchase from the site.  I also have a series of administrative pages that allow the owners of the company to update product descriptions, add products, manage inventory, pricing, customer accounts, etc.

I had set up the site with 2 tables, one for the admins and one for the customers.  I thought everything was working wonderfully until I noticed a pretty big security hole -- customers could log in to the My Account part of the site, which would then set a session variable -- then if they happen to know the name of an admin page (e.g. "admin_productmanagement.asp") they could just type that in the browser and be allowed access!  Even though their customer account was in a seperate table, the fact that they had a session variable set on one part of the site granted them access to the admin part.

I figured that by using Access Levels I'd be able to solve the problem.  However, I found that they only work when everyone's in the same table.  I kept all accounts in the same table and added a field for access level in my database.  Now if a customer tries to access the page through the login screen without having the proper access level, they do get redirected to the "accessdenied.asp" page.  BUT they can still log in through the My Cart page as usual, get their session variable set, and then just type in the administrative page (again, e.g. "admin_customermaintenance.asp") and have full access.

The only other option that I could think of would be to seperate the admin part of the site to another sub-domain and pray that that would make a difference, but I'm hoping there's a better way

What am I not understanding about Dreamweaver's Access Levels?
LVL 8
saoirse1916Asked:
Who is Participating?
 
Saqib KhanSenior DeveloperCommented:
saoirse1916, for the customers and Admin you have Two unique Session's?

when customer log's in you create a customer based session
session("Customer")
and when the Admin logs in test the admin session

on Admin.asp
if session("admin") <> "" then

' process

else

' invalid

end if
0
 
gabssCommented:
hi,

This might big stupid idea but have you on all the pages the access levels code?

because by the sound of it if you can type in the url then this code has not been added..


hope this helps

G
0
 
saoirse1916Author Commented:
Yeah, I thought of that, but I did go through and set all the admin pages to restrict based on access level.  The admin login page does block users with the incorrect access level, but if they log in through the regular customer "My Cart" page, they can get into the admin side by bypassing the admin login page.
0
 
Saqib KhanSenior DeveloperCommented:
now Generate the Admin Session as soon as the ADMIN logs in.

and when Customer Logs in, Generate the Customer Session, and set the Admin Session to Blank or nothing for Security Reasons.
0
 
saoirse1916Author Commented:
I ended up figuring it out -- I just needed to tell the Customer Login to use an Access Level which then prevents the customers from gaining access to the admin pages.  I did try your method as well adikhan and that works too, but since I'm a bit on the lazy side, I just used DW's built in behavior.  Thanks for the tip though!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.