In this lesson, I'll demonstrate insecure direct object reference by using session data to enable users’ access to secure portions of the website. We'll see how relying upon parameters passed in the URL can lead to vulnerabilities in the application.

I'll then show you how limiting permissions does not apply just to users, but even to admins and other people on the website with elevated privileges. Permission limiting is necessary in order to prevent damage if an admin or user account is compromised.