securing product paths

[philosophe]

I needed to build a configurator for my product, so I built a flow of
form pages that created and edited a class "foo". The last of the
pages in this flow did a form GET to the custom order product and
passed in the data from the configurator to the custom text field on
that custom order product's template form.

so the urls i built for the steps look like this:
- /shop/product/foo/ #step 0
- /shop/product/foo/17/step1/
- /shop/product/foo/17/step2/
- /shop/product/foo/17/step3/
- /shop/product/foo/foo/17/ # the custom order detail page
- /shop/cart/

the product is not created until that custom order product detail
page.

these urls allow me to jump to a particular step, and populate the
page from the appropriate foo fields.

my question is: can I secure these urls so only the user configuring
this particular foo-product can access this foo-product? The user has
not authenticated before starting this configuration.

thanks,
--derek

[Chris Moffitt]

I think you need to create a unique id of some sort, assign it to the user's session and validate it along each step to make sure they are the right person to access the step.

Does that make sense?

-Chris

[Bob Waycott]

Perhaps with a uuid that is saved to a user's session?