Peter
|
| Posted: 09/17/2002, 11:23 PM |
|
Hi,
We have developed a very smart web application where different companies can log in. Now the problem is that after a person has logged in, it's very easy to edit hte URL and then by trail and error find out what project other companies are doing simply by edeting the comapnyID and projectID. It may take some time but it can be done. (by a person w/ the same security level)
We have now looked into encrypting the URL or any other method of disallowing this. Thus fare, we can only see one solution which is to check the user id of a person again the company database and the project the sec. he/she enters a new page to make sure that he/she has the necessary permissions.
Does anyone have a better idea on how to solve this security problem in codecharge?
Any idea is welcome!
|
|
|
 |
banjo
|
| Posted: 09/18/2002, 2:46 PM |
|
On our intranet, we have an entry page with a link that, when selected, opens a new window (the login page) without a location bar in that new window.
It prevents simple URL spoofing - but it's not a serious security attempt - just a discouragement.
|
|
|
|
eDuck
|
| Posted: 09/19/2002, 8:59 AM |
|
Simply create a user table, test if they are allowed to see the record's and if not, redirect them.
|
|
|
|
Steve
|
| Posted: 09/20/2002, 1:55 PM |
|
First of all CC/CCS Authenication is for the Page (Form too in CCS) not a table/record. A Page modifies a Table/Record.
Sounds like you have related a user id to a page for security. But the table has multple companies data.
What it really sounds like you want to do is relate a record of a table to a user id either directly or in directly to a record.
This can be done directly or indirectly.
---------------------------
Directly
Do it by carrying a user-id on the record. If the record is displayed/accessed by someone other than the peron on the record re-direct them. On Insert of the record - Set the User-ID. Drawback - limits record access to only one user.
---------------------------
In-Directly.
Assign/relate the record to a Company and relate the user to a Company. If the record and user are related to the same company, allow the record to be read/modified/deleted, otherwise re-direct them,
It will require additional relational tables. I would load the CompanyID into a session Variable on Login. When Inserting a record. Assign the Record CompanyId of the User (from the Session variable) to the CompanyID on the Record.
What this is doing is simply adding a layer to assure that the record and the user are from the same company.
---------------------------
The In-Directly method is the better method for flexibility.
Still keep the normal authenication used by CC/CCS for the Page. That authenication would still apply. For example - adding/modifying/deleting a certain type record should only be done by a Web Administrator and not a User.
|
|
|
|
|
