Encrypt Url ID

[Simmo]

Hi

 

I allow users to log in, they are redirected to a page and in the url their account ID is carried e.g. accountid=2.  Obviously they could alter the number and potentially see other members details.  What is the best way to hide this information?

 

 

Thanks

[PFMaBiSmAd]

The code on the page must check if the current visitor is both logged in and has permission to access that page, either because it is his information or the current visitor is the site's administrator.

[Simmo]

Hi

 

Yes the page checks for a  logged in session and redirects if they haven't got one.  But when they view their account details using the id from the url they could alter the number and get someone else's account details.  I could get their account id at login and put that into a session account id and search using the session account id, then no one could alter it.

 

Just wondered how others address this

[PFMaBiSmAd]

So, you already have the necessary code in place to do this and all it would take is adding one line of code to set a session variable with the id in your log in code and then another line of code to  test that value in your member profile page.

[Rifts]

when someone logs in just store their id in a session then on the member profile pages just check that the current session id matches the profile they are viewing

[Simmo]

Thanks, thats the way I'll go