Problem with Access Levels using Restrict Access To Page Behavior

First some info about my project:

I'm setting up an ecommerce site using Dreamweaver MX, ASP VBScript, and MS SQL Server 2000.  I have a shopping cart set up that requires users to create an account in order to purchase from the site.  I also have a series of administrative pages that allow the owners of the company to update product descriptions, add products, manage inventory, pricing, customer accounts, etc.

I had set up the site with 2 tables, one for the admins and one for the customers.  I thought everything was working wonderfully until I noticed a pretty big security hole -- customers could log in to the My Account part of the site, which would then set a session variable -- then if they happen to know the name of an admin page (e.g. "admin_productmanagement.asp") they could just type that in the browser and be allowed access!  Even though their customer account was in a seperate table, the fact that they had a session variable set on one part of the site granted them access to the admin part.

I figured that by using Access Levels I'd be able to solve the problem.  However, I found that they only work when everyone's in the same table.  I kept all accounts in the same table and added a field for access level in my database.  Now if a customer tries to access the page through the login screen without having the proper access level, they do get redirected to the "accessdenied.asp" page.  BUT they can still log in through the My Cart page as usual, get their session variable set, and then just type in the administrative page (again, e.g. "admin_customermaintenance.asp") and have full access.

The only other option that I could think of would be to seperate the admin part of the site to another sub-domain and pray that that would make a difference, but I'm hoping there's a better way

What am I not understanding about Dreamweaver's Access Levels?
LVL 8
saoirse1916Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gabssCommented:
hi,

This might big stupid idea but have you on all the pages the access levels code?

because by the sound of it if you can type in the url then this code has not been added..


hope this helps

G
0
saoirse1916Author Commented:
Yeah, I thought of that, but I did go through and set all the admin pages to restrict based on access level.  The admin login page does block users with the incorrect access level, but if they log in through the regular customer "My Cart" page, they can get into the admin side by bypassing the admin login page.
0
Saqib KhanSenior DeveloperCommented:
saoirse1916, for the customers and Admin you have Two unique Session's?

when customer log's in you create a customer based session
session("Customer")
and when the Admin logs in test the admin session

on Admin.asp
if session("admin") <> "" then

' process

else

' invalid

end if
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Saqib KhanSenior DeveloperCommented:
now Generate the Admin Session as soon as the ADMIN logs in.

and when Customer Logs in, Generate the Customer Session, and set the Admin Session to Blank or nothing for Security Reasons.
0
saoirse1916Author Commented:
I ended up figuring it out -- I just needed to tell the Customer Login to use an Access Level which then prevents the customers from gaining access to the admin pages.  I did try your method as well adikhan and that works too, but since I'm a bit on the lazy side, I just used DW's built in behavior.  Thanks for the tip though!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Adobe Dreamweaver

From novice to tech pro — start learning today.