We have a back office system developed in ASP.NET which contractors can view all their invoices online. I have just made an addition that allows them to click on a link that opens up a PDF in their browser which displays their invoice as a PDF which they can download.
The problem, however, is that they can manipulate the link in the address bar and thus view someone elses invoice, which we dont want. I can obvioulsy do validation on the page before they are directed to the PDF, but once the PDF opens it has the location on our server in address bar, which they can make a few minor changes to and view someone elses stuff.
Any ideas how I can stop this?
Thanks in advance