So i have a site that allows employers to look at resumes and for people to submit applications (so it contains A LOT of private data) and there is a security issue. Now what happens is that if you go look at the resumes/application you can change the header id ( in address bar change a 90 to 92 and you can see the persons app with the 92. So therefore just by logging in you can look at anyones personal information how can this be fixed? I am having a really hard time.
Should i use gets and sessions or what?
Security Issue..
Moderator: General Moderators
Re: Security Issue..
I see three things right off that you need to have:
1) Secure authentication. Personal data should be tied to a user.
2) User roles. Each user should have a role set (either "applicant" or "employer").
3) Role-based restriction. Only users of type "employer" should be able to view applications.
To solve this, you're going to need to use sessions and cookies. On the page that views an application, before you send header data to the browser, you should check the logged-in user's role to see if he is of type "employer" OR if he is the user tied to the application. If so, load the page. If not, redirect the user to a different page.
1) Secure authentication. Personal data should be tied to a user.
2) User roles. Each user should have a role set (either "applicant" or "employer").
3) Role-based restriction. Only users of type "employer" should be able to view applications.
To solve this, you're going to need to use sessions and cookies. On the page that views an application, before you send header data to the browser, you should check the logged-in user's role to see if he is of type "employer" OR if he is the user tied to the application. If so, load the page. If not, redirect the user to a different page.