[eluser]obiron2[/eluser]
I agree entirely.
When your URL contains elements that direct to restricted pages, you need to validate that:
a) The user is logged in
b) The user has access to the specified module (controller/method)
c) that the user that is logged in matches the user credentials passed in the URL.
I am busy implementing FREAKAUTH into a dev site at the moment with redirect to the log in page and pass through to the requested page (storing the requested URL in the session cookie) if log in is successful and credentials match.
the only time I have used any sort of encryption in a URL was when I had an interactive website (poker clock) that did lots of client side processing but needed to send a large amount of data (to re-organise players at tables) back to CI and redisplay the infomation using ajax. To this end, I took the tables collection object (tables->table->players->player) and serialised the object and then used the javascript urlencode() to send the serialised object back to CI as a single URL segment, where I then unencoded it and unserialized it so that I could update the database and send the ajax request back to the client.
