im coding a website using js and c#. i link between them using generic handlers.
what i want to do is letting the user delete (or edit general) his own content, whereas same data is shown to everyone. for example - as logged-in user in this website's homepage - let the user delete his own questions.
how can i achieve that without creating security holes? i thought about keeping a cookie and check it on every request.
how facebook, for example, let me delete only my own comments and not others? do they maintain session for each user?
any ideas?
Your users should only have that type of access to CRUD functionality when logged in. Then, the functions that actually edit and delete should validate that the content is owned by that user. THEN on top of that, you should only display the edit / delete functionality UI for that content when it is owned by them.