Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's worse: every customers ID in the database was stored in the URL or that there was no ACL to test against? If a user is logged in, you have their account ID stored in a session. If they navigate to a page that their account ID can't see (like another person's account), then kick them out. Astoundingly simple.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: