Security in php failing

3

I created a small security code for my login system, to prevent people from compiling the administrative panel link and pasting and accessing it.

    <?php
ob_start();
if(($_SESSION['usuarioNome'] == "") || $_SESSION['usuarioNivelAcesso'] == ""){
    $_SESSION['loginErro'] = "Área restrita para usuários cadastrados";
    header("Location: login.php");
}
?>

This section above is what you see if the person copied the link or accessed normal. But I copy and paste the link and usually access the administrative page.

Any solution?

    
asked by anonymous 13.07.2017 / 14:53

1 answer

6

This code will not work if you have already logged in and filled in these values in the session. The session exists on the server, regardless of what you do in the browser, and only dies after some time without user activity or when it is explicitly cleaned.

If you want the person to be unable to access by pasting a link, you need to do the following sequence of steps:

  • Generate a session value (with a different name than the ones that save username and access level, if any) on any other page. Indicate by name that it is an access token or something;
  • In the admin page, see if this value in the specific session is filled. If it is, allow access, otherwise, redirect to another page;
  • Finally, still on the admin page, after the above scan , delete the value. This causes the next access to the admin page to be redirected. You will now be able to access the admin page only after accessing the token-generating page again.

Editing to add code

On any page, other than the one on the panel, add the following logic:

$_SESSION['autorizacaoPainel'] = true;

On the panel page, add the following logic:

if ($_SESSION['autorizacaoPainel']) {
    unset($_SESSION['autorizacaoPainel']);
} else {
    header("Location: login.php");
}

Thus, you will always need to access the page that fills 'autorizacaoPainel' before any access to the panel.

    
13.07.2017 / 15:14