Block PHP page access by URL | Doubts about their safety

0

DUVIDA 1

On my site I have PHP pages that register / login users, products, and other things, which I call through ajax. Is there any way I can not allow people to access these pages via URL?

Example: meusite.com/conexao/cadastro.php

DUVIDA 2 | Related to the first

To block access from restricted areas of the site I'm using:

if(!isset($_SESSION['user_logado'])){
    header("Location: index.php");
    exit;
}

Is this the best way?

If it is not the best, can it be considered safe?

Could you use this method for page protection mentioned in DUVIDA 1?

Would there be any conflict with ajax? since the person would not yet be logged in

DUVIDA 3

I'm not very experienced in PHP as I would like, so excuse ignorance, according to what I know, the PHP content of a page is not available for users to see, such as connection to DB, login and registration, and others, but I believe that such access is possible by brute force. Can I rely on PHP's own security or would I need to do additional security? As consulted in the first two questions.

    
asked by anonymous 12.07.2017 / 03:45

1 answer

1

If this session is established through login and password yes access is secure however in your code where the redirection could send next to the redirect a response header HTTP status 403 'OU HTTP STATUS 401

  

403 Forbidden vs 401 Unauthorized HTTP responses ie unauthorized )

if(!isset($_SESSION['user_logado'])){
     header('HTTP/1.0 403 Forbidden');
     header("Location: index.php");
     exit;
}

In addition on every php page that communicates with your management interface it is necessary to check the login and password database and if the session exists. Also on your login page the values received from the login field and password filter out special characters like quotes that could create security holes.

Finally, create criteria to set your passwords, and never load them into a session variable instead create a hash with sha256 with php and always compare the hash in the database.

This is a very broad security question if you have any questions, please do not hesitate to post.

Hugs.

    
12.07.2017 / 03:58