Restrict page access to user logged in

I think I asked a similar question a while ago, but it doesn't seem to be working here.

Basically users can log in, and create tour itineraries associated with them.

So when they log in, they can view the itineraries they have added.

That's all working, but itineraries other than their own can be viewed just by changing the ID number at the end of the URL.

I've added:

AND UserID = ParamUserID

to the recordset, and added the variable:

ParamUserID
Integer
-1
$_SESSION['SecurityAssist_UserID']

Which I thought was the solution, but its not working here.

I've attached a copy of the page.

Thanks again.

It looks like you are displaying rows from the recordset "ItineraryProfiles" and that recordset doesn't have a parameter filtering with the Session variable. I think you just need to add it to that recordset as well.

Thanks Ray - I've added that, but its still letting me view other users itineraries by changing the URL. I've attached a revised copy of the page.

This looks like it should work. Do you have a url where I can see the problem? Are you sure you uploaded the files after adding the session variable parameter? Are you switching to another id owned by that user or one they shouldn't be able to access?

I think I've uploaded everything I need to - the page in question, and all the webassist folders.

For testing purposes, try this URL:

trade_login/

Login with:

johngordon
talisker

Click on View Your Itineraries.

You should see Itineraries with the IDs : 127, 125, 126, 122, 124, 129

Click on an itinerary name to go to the details page.

Try changing the ID at the end of the URL to 118.

I notice now that the Itinerary Profile section isn't displaying.

What should happen here anyway? Should the user be presented with the log in page?

Well technically this would only happen if the user was trying to hack into someone else's data by changing the url, so I'm not sure how important it is to have a smooth user experience for this case.

You could add logic to redirect to another page (the login page makes sense) when the recordset is empty.

In terms of security it seems quite important that one user is not able to view and edit another users's data simply by changing an ID in the URL.

I don't follow the bit about the empty recordset, as in this scenario the recordset wouldn't be empty.

Yes, of course... sorry I misinterpreted your last post and thought you had it working now.

I'm going to open a support ticket so we can schedule a screen sharing session to determine what exactly is going wrong since it looks like it should be working to me, but I can see that it isn't.

Thanks Ray, and no worries about the ambiguity.