HTTP_Referer HELP

Hi All,
I have an Asp page test.asp for which one parameter needs to be passed for eg id=2  so to access the page in correct way the URL would be xyz.com/test.asp?id=2     Now the ID can be 2,3,4 etc ect It is generated dynamically.I dont want users to modify the ID in the address bar hence  I am checking whether request.serverVariable("HTTP_REFERER")<>""   and if it is <>"" then I am processing the page.

I am mailing the link xyz.com/test.asp?id=2 to the customer so if the users have hotmail account,yahoo account or for that matter any web based email account and the customer clicks on the above link the value returned by request.serverVariable("HTTP_REFERER") is not null (unless the customer modifies the ID in the address bar intentionally) .But if the customer has an exchange account for eg if my email lands in outlook express ot microsoft outlook  then the value returned by request.serverVariable("HTTP_REFERER") is null even thought the customer dint play with the the id in the Address bar . I dont want that to hapen .
Is there any solution to this problem Or is there any other alternative way?

Thanks for help
Ken
fdbtydhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

d0zerzCommented:
I don't see how you're going to fix the referer problem from outlook, but I would prevent users from modifying the id with a session variable storing the id...something like this:

if strcomp(Request.QueryString("id"),session("id")) <> 0 _
 and not isNull(session("id")) then
  'error (user has modified ID)
elseif isNull(session("id")) then
  'User hasn't been assigned a sessionID yet
  '...assign an inital one
end if

I'm not sure exactly what kind of permissions you need with id, but you're going to have to come up with something to assign the session("id") initially when they come back from the email client...Probably in a similar way that you're assigning URL ids.  This could enforce that a user can only access a certain page if they have a session("id") AND it matches with the URL id.

I could probably come up with something better if I had some idea of the page "flow" and what you're trying to prevent them from doing :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fdbtydhAuthor Commented:
I have used session variables and it worked .

Keny
http://www.houstonoptical.com 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.