Block PHP page access through the URL | Doubt about PHP page security

Question

Block PHP page access through the URL | Doubt about PHP page security

Asked 7 years, 4 months ago

Viewed 856 times

0

DOUBT 1

On my site I have PHP pages that register/login users, products, and other things, which I call through ajax. Have some way to not allow people to access these pages via URL?

Example: meusite.com/connection/cadastre.php

DOUBT 2 | Related to the first

To block access to restricted areas of the site I am using:

if(!isset($_SESSION['user_logado'])){
    header("Location: index.php");
    exit;
}

That’s the best way?

If it’s not the best, it can be considered safe?

It could use this method for protection of pages cited in DOUBT 1?

Wouldn’t there be any conflict with ajax? since the person would still not be logged in

DOUBT 3

I’m not as experienced in PHP as I’d like, so excuse me for ignorance, as far as I know, the PHP content of a page is not available for users to see, such as connection to BD, login and registration and others, but I believe that this access is possible by brute force. Can I rely on PHP’s own security or would it be necessary to make an additional security? As consulted in the first two questions.

1 answer

Browser other questions tagged php security-guard

You are not signed in. Login or sign up in order to post.

by Rafael Salomão • **2,027** points · Answer 1 · 2017-07-12T01:58:51+00:00

If this session is established through login and password yes access is secure however in your code where you do the redirect could send together with the redirect a response header HTTP status 403OR HTTP STATUS 401

403 Forbidden vs 401 Unauthorized HTTP Responses ie (unauthorized)

if(!isset($_SESSION['user_logado'])){
     header('HTTP/1.0 403 Forbidden');
     header("Location: index.php");
     exit;
}

Also on each php page that communicates with its management interface it is necessary to check in the login and password database and if the session exists. Also on your login page at the values received from the login and password field filter out special characters like quotes that could create security holes.

Finally, create criteria to define your passwords, and never load them into a session variable instead create a hash with sha256 php and always compare the hash in the database.

This is a very broad question about safety if there are questions do not hesitate to post.

Hugs.