0

im coding a website using js and c#. i link between them using generic handlers.

what i want to do is letting the user delete (or edit general) his own content, whereas same data is shown to everyone. for example - as logged-in user in this website's homepage - let the user delete his own questions.

how can i achieve that without creating security holes? i thought about keeping a cookie and check it on every request.

how facebook, for example, let me delete only my own comments and not others? do they maintain session for each user?

any ideas?

Yaniv
  • 1,906
  • 2
  • 16
  • 23

1 Answers1

0

Your users should only have that type of access to CRUD functionality when logged in. Then, the functions that actually edit and delete should validate that the content is owned by that user. THEN on top of that, you should only display the edit / delete functionality UI for that content when it is owned by them.

Kristian
  • 21,204
  • 19
  • 101
  • 176
  • to be specific, how my users would get that type of access? is that by cookie? is that by attaching thier userID in each request? the latter sounds like a security hole. – Yaniv Jan 18 '12 at 05:34
  • keep in mind that you can do literally anything you want. if you want only a certain role of users to be able to edit their own stuff, then make a role, and only give it to whomever should have it. You'd never want to attach a user ID to a url (if i'm understanding you correctly) ever. If you stored it in a cookie, you'd want to store it as an encrypted string, and then check it before allowing any functions to be run. – Kristian Jan 18 '12 at 15:46
  • that's for sure. but how can i force that rule? encrypted string in a cookie? – Yaniv Feb 04 '12 at 14:32