-1

I have a Web app with a login form. When the user successfully logs-in, the app generates a session var containing his user ID. Then it displays a main menu, with several links towards .php pages, some of those pages are not the same for all the users, for instance a "user_profile.php" page...etc.

If a non-authenticated user knows the name of those pages, and tries to display them, I wonder how I can secure this stuff ?

So far, I have something like this :

//if the session is not set, forces the user to go back to the main page
if (!isset($_SESSION['auth'])) {
        header("Location: index.php");
        exit();
    }
else {
//display the page, with PHP, HTML, JS...
}

Is the security level "acceptable" in this case ? If not, what can I do to improve the security ?

Fafanellu
  • 424
  • 4
  • 20
  • 1
    _"Is the security level "acceptable" in this case ?"_ It depends who you ask and (at least to me) what kind of information that is at risk. Flagged to close as primarily opinion-based. – Epodax Aug 04 '15 at 10:02
  • I do not store critical information as credit cards stuff, neither huge personnal information, only some basic stuff...thanks for your answers – Fafanellu Aug 04 '15 at 10:05

3 Answers3

2

You may follow the below steps:

  1. Use redirection technique/htaccess as not to show the exact page name.

  2. As you are able to generate a session id store it in session & pass in get variable in urls..if any one wants to access a page illegally he will have to remember the page redirection first & session id.

  3. Call log in function in each page to check whether the user is logged in and if yes he has been allotted a system generated session id.

  4. You may get a notification from your app if anyone is logging in.

The security level increases with your requirements or client requirements. People are trying everyday to embed more and more security in web apps.

lakshman
  • 656
  • 4
  • 18
  • thanks for your answer, I'm not sure to understand the difference between checking on every page if the session var exists, or passing it to the target page with GET ? Do you mean I have to check if the variable passed with GET matches the session var stored on the server ? – Fafanellu Aug 04 '15 at 10:45
  • means make a function of log in, check two things if session variable exists & the generated system id exists & same on each page, it ay be done by passing in get variables – lakshman Aug 04 '15 at 10:48
  • the id generated by the system should be something like a big random generated string for instance ? then stored on client side with a cookie ? – Fafanellu Aug 04 '15 at 11:21
0

You can check in specific class constructors if a user has to be authenticated and if it's true or not. This gives you the flexibility for secured pages or public pages.

More generally, you can check it before include the pages, in for example the index.php, see following pseudo code:

if (!authenticated)
    Redirect to login

Continue

But it sounds not very secure if the session only contains an userId. It's better to store encrypted sessions, tokens, .etc.

Read more here: Developing a secure PHP login and authentication strategy

Community
  • 1
  • 1
schellingerht
  • 5,726
  • 2
  • 28
  • 56
-2

I guess the security Level is acceptable, i dont think it needs more. To secure all of the other pages, i would suggest to query the Session on each Page. When a non-User wants to enter a page, he gets directed to the Login Page then.

JoshuadV
  • 194
  • 8