Security Issue..

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ccrevling
Forum Newbie
Posts: 19
Joined: Mon Aug 06, 2007 1:34 pm

Security Issue..

Post by ccrevling »

So i have a site that allows employers to look at resumes and for people to submit applications (so it contains A LOT of private data) and there is a security issue. Now what happens is that if you go look at the resumes/application you can change the header id ( in address bar change a 90 to 92 and you can see the persons app with the 92. So therefore just by logging in you can look at anyones personal information how can this be fixed? I am having a really hard time.
Should i use gets and sessions or what?
User avatar
bovermyer
Forum Commoner
Posts: 25
Joined: Tue Apr 08, 2008 9:14 am
Location: South Dakota

Re: Security Issue..

Post by bovermyer »

I see three things right off that you need to have:

1) Secure authentication. Personal data should be tied to a user.
2) User roles. Each user should have a role set (either "applicant" or "employer").
3) Role-based restriction. Only users of type "employer" should be able to view applications.

To solve this, you're going to need to use sessions and cookies. On the page that views an application, before you send header data to the browser, you should check the logged-in user's role to see if he is of type "employer" OR if he is the user tied to the application. If so, load the page. If not, redirect the user to a different page.
Post Reply