Step1 Which church are you from - session initialised. Unique booking_id created and session id regenerated
Step 2 Add delegates - unique ticket_id
Step3 Finalise booking, address details and payment
All steps are initiated from booking.php. At each step a summary so far is shown. I've succesfully ensured that the steps have to be done in order and protected against resubmissions and back button issues.
I want to allow people to edit or cancel individual tickets during step 2. booking_id is in the $_SESSION and editticket.php?id=1 would allow editing of ticket_id 1
I checking the booking_id is in that ticket_id record in the ticket database table before allowing editing. I don't think that is enough security though.
Here's the plan
Code: Select all
$_SESSION['token']="salt".$booking_idIs it enough? Or do I need to do more to protect against people just trying to edit other people's tickets!