Re: how to avoid not using first page?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 09/20/04


Date: Mon, 20 Sep 2004 16:44:51 GMT

On Mon, 20 Sep 2004 17:09:58 +0200, "Fred" <fff@its.gb> wrote:

>Hi,
>
>We have an intranet appliction which begins with a start page, which checks
>the login of the user (the security in IIS is set to "Anonymous not
>allowed") . In function of that 'remote_user' variable, the user gets a
>specific menu (there are normal user menu and admin menu). Suppose an
>hacker-user guesses the path name (or he saw it in the browser path line) of
>the administration pages. So it's possible for him to type himself e.g.:
>http://ourserver/admin.asp and so to get access to that administration menu
>without passing by the start page and so not be redirected to the normal
>user menu..
>
>How can we prevent this? (There are hundred pages).

Many ways. Set a session variable on the start page for example,
check for it on the remaining pages and redirect to the start if it
isn't set.

Jeff