I was browsing the web for possible security issues with my website, and I was shocked at what I found. I was able to login to administrator accounts without knowing username and login information, and do anything I wanted within my site.
I typed the following into the URL:
I store user login information in the cookie by using login=USER_ID
I then typed in:
This gave me access to my entire site!
So my question is....how do I prevent this? I'm assuming I'll have to recode how my site determines when a user is logged in.