I need some help with security.
I have a website that stores all invoices in a virtual invoice folder.
Usuers cannot browse the invoices but they can substitute a number and see an invoice not meant for them.
I need to fix this and I am not sure how.
Current;y users log in on the website with a user/pass and that is checked against an access database, they are shown data that belongs to them. When they want to view an invoice, they click on a link and that lionk spawns a script that resides on the server that checks to see if the invoice they are requesting belongs to them.
The link is something like this:
However, if they type
they will get the invoice that doesn't belong to them regardless.
I also have to send out notices that tell members that they have new invoices and I have tio list them like so:
that aslo can be "hacked" to show any invoice.
How can I secure this so that they are :
1. Required to go to my login page at least once during the session
2. Denied access to other invoices.
I have a script that checks for that but I do not know how to get it to fire when someone has a direct address.