why not use their email it's always unique

Leo

I had thought of that, but was more looking for a long number that people would find hard to guess.

I don't want people to be able to change the URL to get into someone elses account.

This already shouldn't happen as i have a security check function happening on everypage, comparing this id number to theusername passwords saved in sessions. Not the best explanation, but it works very well.

Oh, well, i guess i could just use the single digit id, or i suppose i could make my auto incremenet in SQL Server start at say '000000001'.

Webboy

Why not using session ID? You won't have any personnal info in the url that way

Leo

Append a 4-6 digit random number infront of the incrementing numeric key formatted to a fixed length (ie 123456 + 000000001 => 123456000000001 ), this way you get something a lot harder to guess and which looks a lot less like an auto-incrementing key.

To be honest if I'd avoid having a "my details" page driven by querystring data because its ridiculously easy to force data out of it.

A more secure solution would be to force login - this way everyone has to authenticate before they get access to any information and you can then use the session to hold authentication information - such as userid.

ps. Email as a unique key is a very bad idea because sooner or later two people will want to sign up with the same email address & then you have to redevelop the system.

- Tony

The user already is forced to login, and it is hard for them to get into others areas.....i think.

What i have setup so far is a registration page. Once registered, the user and password are in the database.

When the user logs in using the username and password, they are kept within individual session objects. Then, a function is called on every page, comparing the username and password from the row in database where id = whatever is passed in the querystring, to the username and password in the session objects.

Meaning....

if the page is at something.asp?id=1 and the user manually alters this to something.asp?id=2, the function will notice that the id does not match the user and pass in the session object.....again, not a great explanation, but it works.

I think though, i should be dropping this user_id into a session rather than into the querystring, that way no personal information is passed in the querystring.

I like the id of the random unique number, but i am not to sure how to create it with ASP.

Thanks

Webboy

Randoms are really simple - have a look at Randomize and Rnd() in the online documentation for ASP.

From there you just need to pad out the original and generate a suitable random number and then finally combine two literals together to make your unique user identification number.

ps. If you know the user's ID why do you need to have it in the querystring if it's already in the session?

- Tony

Use GUIDs. They're guaranteed unique and (for the most part) impossible to guess.

Assign a guid to each new login you create, store it in the DB with the other login info and drag it around as the "session" identifier in your query string. You won't rely on sessions (and thus, cookies).

If you're going to use sessions anyway, then drop the whole ID-dragging business and just set a session variable to identify the user.

Dreamquick,

I actually hadn't been putting the user_id into a session. I had been dropping the username and password into sessions, so i am now wondering why i never used the same method for the user_id.

I am now in the process of fixing.

Webboy