Problem with Access Levels using Restrict Access To Page Behavior
Posted on 2003-11-10
First some info about my project:
I'm setting up an ecommerce site using Dreamweaver MX, ASP VBScript, and MS SQL Server 2000. I have a shopping cart set up that requires users to create an account in order to purchase from the site. I also have a series of administrative pages that allow the owners of the company to update product descriptions, add products, manage inventory, pricing, customer accounts, etc.
I had set up the site with 2 tables, one for the admins and one for the customers. I thought everything was working wonderfully until I noticed a pretty big security hole -- customers could log in to the My Account part of the site, which would then set a session variable -- then if they happen to know the name of an admin page (e.g. "admin_productmanagement.asp") they could just type that in the browser and be allowed access! Even though their customer account was in a seperate table, the fact that they had a session variable set on one part of the site granted them access to the admin part.
I figured that by using Access Levels I'd be able to solve the problem. However, I found that they only work when everyone's in the same table. I kept all accounts in the same table and added a field for access level in my database. Now if a customer tries to access the page through the login screen without having the proper access level, they do get redirected to the "accessdenied.asp" page. BUT they can still log in through the My Cart page as usual, get their session variable set, and then just type in the administrative page (again, e.g. "admin_customermaintenance.asp") and have full access.
The only other option that I could think of would be to seperate the admin part of the site to another sub-domain and pray that that would make a difference, but I'm hoping there's a better way
What am I not understanding about Dreamweaver's Access Levels?