My customer has many clients of his own and has to send them their daily report.
I have three pages, reports, monthly report page and daily report page.
In reports page, it shows all clients' call number for all months, and if I click the number it takes me to the specific monthly report page.
In monthly report page, it shows all clients' monthly call total number, and if I click the number it takes me to the daily report of the specific client. And in daily report page,
there is a hyper link saying "Back to Monthly report" which you can go back to monthly report.
Previously(without using session), I passed all arguments through link from reports page to monthly report page and from monthly report page to daily report page.
something like this,
and from daily report page to monthly report page,
echo "<p><a href = \"monthlyReport.php?date=$date&fromTime=$fromTime&toTime=$toTime\">Back to Monthly Reports Page</a></p>";
My customer complained if he send a daily report to a client just using html page capturing, this client can eaily get in this daily report page by typing the same url, and from this daily report page, he can easily go back to monthly report(from hyper link) and can see all the other competitor's call record, which shouldn't be allowed.
I thought maybe it was because I passed the parameter directly, so I decided to use session.
So I changed my code like this,
echo "<p><a href = \"monthlyReport.php?numMonth=$numMonth\">Back to Monthly Reports Page</a></p>";
O.K it still works (showing correct call number) which is good.
BUT still has the same problem.
If I open the new web site, and type the daily report url, it takes me the daily report page, and it still takes me back to monthly report when I click the "Back to Monthly Report" hyper link.
Maybe I am misunderstanding the whole session concept?
(I thought session can prevent this kind of security hole)
Or is there something wrong with my revised codes?