alexands
Posts: 11
|
| Posted: 12/09/2006, 7:39 AM |
|
Can anyone give me some ideas about how to stop using IDENTITY values in querystrings to link to records? My app is multi user and if a person can read a document ID in the query string, they can just change it to see others information. I thought of using GUID as a primary key but have been told that's not such a good idea.
How would I use Session variables for this? How can I set a session variable by clicing on a HREF?
I hope this makes sense.
Thanks
|
 |
 |
E43509
Posts: 283
|
| Posted: 12/09/2006, 8:16 AM |
|
First thought would be to change from a http GET to a HTTP POST. The GET puts stuff in the URL. The post puts it in the headers.
Second thought is along the same lines as you related. Set a session variable. Clicking on a HREF would be tough to create a session variable as that is created on the server side and you need to submit back to the server
|
|
|
|
rbaldwin
Posts: 172
|
| Posted: 12/13/2006, 4:43 PM |
|
another option would be to obfuscate the IDENTITY value and deobfuscate when you get the the destination page in the before show event
|
|
|
|
|
