several step process. security concernes.
Posted: Tue Oct 24, 2006 7:05 am
Hi,
I am making an app like an ordering process.
The thing is ...it has several steps in it.
The problem is I cannot use just sessions...because I want no data to be lost.
So on each step I pretty much save data to a database... (using SID as PK) and if all is ok..I redirect client to another step with appropriate SID in _GET['sid'].
there I take all the data from the database (based on get[sid])....if this sid really has reached this step....I continue...else redirect to step he should be on.
Do you think this is somehow security problem...One thing I see is...if someone hits...a correct sid..he will be introduced into someone's else order. What are the chances ....I know this is security through obscurity but
So there comes two scenarious:
- user is able to continue his order some other time - set a cookie with sid...when he/she return cookie is red and sid is used to continue. (problem with someone hitting random sid)
- we don't want user to continue where from he was..but start over - on first step store session flag.... if on next steps this flag is not set...redirect user to step 1.
How could I solve each these scenarious.
I kind of don't like all this but now sure yet... Any comments will are more than welcome.
I am making an app like an ordering process.
The thing is ...it has several steps in it.
The problem is I cannot use just sessions...because I want no data to be lost.
So on each step I pretty much save data to a database... (using SID as PK) and if all is ok..I redirect client to another step with appropriate SID in _GET['sid'].
there I take all the data from the database (based on get[sid])....if this sid really has reached this step....I continue...else redirect to step he should be on.
Do you think this is somehow security problem...One thing I see is...if someone hits...a correct sid..he will be introduced into someone's else order. What are the chances ....I know this is security through obscurity but
So there comes two scenarious:
- user is able to continue his order some other time - set a cookie with sid...when he/she return cookie is red and sid is used to continue. (problem with someone hitting random sid)
- we don't want user to continue where from he was..but start over - on first step store session flag.... if on next steps this flag is not set...redirect user to step 1.
How could I solve each these scenarious.
I kind of don't like all this but now sure yet... Any comments will are more than welcome.