Hello,
I've been trying to get some understanding of an issues i'm having, and hoping that someone here can explain me how this really works.
For my app I created a login service that returns a sessiontoken that I will store as a LSV. I also store the username as a LSV.
Now i have secured by collection in the database and it all works fine that if i don't have a valid sessiontoken, it won't let me retrieve any information.
As part of my query I narrow down the result by using a "where" item with the following javascript: return '{"$and":[{"UserName":"' + localStorage.getItem('userid')+'"},{"Status":"Active"},{"Type":"Word"}]}'; This part works fine for the initally stored userid.
The problem I have is that I can change the userid under google chrome for example and rerun the app. In this case i have a valid usersessiontoken, but the result I get is not for the userid I logged in for with username and pw, but for a userid i "hacked". Now obviously it's maybe a bit unlikely that I could guess all userid's, but still it makes it very easy to bypass any security aspect.
I'm probably making some very basic mistake and hope that someone can point this out to me. Should i use the ACL somehow or is there a method where the usersessiontoken is binded to the userid and that this can be checked easily.
Thanks
But I think yes, I guess it's borrowing it, although it does return a usersessiontoken (which i'm storing in the browser)