Login data is visible on the browser console

Asked

Viewed 16 times

0

I log in this way:

<div class="container">

      <form class="form-signin" method="POST" action="./index.php/valida">
        <h2 class="form-signin-heading">Área Restrita</h2>
        <label for="inputnome" class="sr-only">Nome</label>
        <input type="text" name="nome" id="inputnome" class="form-control" placeholder="Nome" required autofocus>
        <label for="inputPassword" class="sr-only">Senha</label>
        <input type="password" name="senha" id="inputPassword" class="form-control" placeholder="Senha" required>
        <button class="btn btn-lg btn-danger btn-block" type="submit">Entrar</button>
      </form>
      <p class="text-center text-danger">
            <?php if(isset($_SESSION['loginErro'])){
                echo $_SESSION['loginErro'];
                unset($_SESSION['loginErro']);
            }?>
        </p>
        <p class="text-center text-success">
            <?php 
            if(isset($_SESSION['logindeslogado'])){
                echo $_SESSION['logindeslogado'];
                unset($_SESSION['logindeslogado']);
            }
            ?>
        </p>
    </div>

I validate the data in this way:

if((isset($_POST['nome'])) && (isset($_POST['senha']))){
        $usuario = mysqli_real_escape_string($conn, $_POST['nome']); //Escapar de caracteres especiais, como aspas, prevenindo SQL injection
        $senha = mysqli_real_escape_string($conn, $_POST['senha']);
        $senha = sha1($senha);

        //Buscar na tabela usuario o usuário que corresponde com os dados digitado no formulário
        $result_usuario = "SELECT * FROM usuarios WHERE nome = '$usuario' && senha = '$senha' && situacoe_id = '1' LIMIT 1";
        $resultado_usuario = mysqli_query($conn, $result_usuario);
        $resultado = mysqli_fetch_assoc($resultado_usuario);
if(isset($resultado)){
            $_SESSION['usuarioId'] = $resultado['id'];
            $_SESSION['usuarioNome'] = $resultado['nome'];
            $_SESSION['usuarioNiveisAcessoId'] = $resultado['niveis_acesso_id'];
            $_SESSION['usuarioEmail'] = $resultado['email'];
            $_SESSION['usuarioSenha'] = $resultado['senha'];
if($_SESSION['usuarioNiveisAcessoId'] == "1"){
                header("Location: ./index.php/administrativo");
            }elseif($_SESSION['usuarioNiveisAcessoId'] == "2"){
                header("Location: ./index.php/colaborador");
            }elseif($_SESSION['usuarioNiveisAcessoId'] == "3"){
                header("Location: ./index.php/enfermagem");
            }else{
                header("Location: ./index.php/cliente");
            }
        //Não foi encontrado um usuario na tabela usuário com os mesmos dados digitado no formulário
        //redireciona o usuario para a página de login
        }else{  
            //Váriavel global recebendo a mensagem de erro
            $_SESSION['loginErro'] = "Usuário ou senha Inválido";
            header("Location: ./login");
        }}
    }else{
        $_SESSION['loginErro'] = "Usuário ou senha inválido";
        header("Location: ./login");
    }

The problem is that after logging in, if you check the browser console, I have access to the user and password, as shown in the image:

inserir a descrição da imagem aqui

php

1 answer

1


The purpose of Developer Tools is to record everything that happens to the page, requests and posts including, so the information that they have trafficked is there, it acts as a Sniffer, but the purpose is not to reveal sensitive information.

But this is temporary, in the next request/ navigation this data will be overwritten by others when the page reload, it does not happen only on your site, if you open the tool and log in to another service, email, etc, you will see that your request initial will appear there too, but leave open the tool and let someone see, it’s like typing the password without the "*" :)

If you are concerned about this, you can encrypt the password before sending, and decrypt next server.

Now just one observation, since you are talking about security, it is really necessary to save the user’s password in the Session after you’ve already authenticated on that line of code?

$_SESSION['usuarioSenha'] = $resultado['senha']

  • yes, I need to save the password to Session because not saving the login is not validated

  • is that I didn’t understand why you need to save the password if already validated in the bank that is correct and has the "id" of the user, but it’s just a note

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.