0

I have an Auth script at top of my php/html pages on my website to redirect people when they try to access protected content without being logged in. The issue I am having is that content in the protected area link is unintentionally loaded and in a flash information can be seen before the window.location.href redirects user to the default login page. This creates a security vulnerability where protected info can be seen for a fraction of a second on whatever page they are trying to access from the outside.

Is there a way to make it so the protected content doesn't load until after the auth script is thoroughly executed?

  • The script below is at the top of all my protected pages:
require_once('userSessionAuth.php')
  • In ^the above script^ I have a:
 alert("You are not logged in!");
 window.location.href="http://example.com/customerlogin.php";

^^All the protected content is listed after these two lines on all my protected pages.

Improve this question
1
  • 2
    So really, one could just disable javascript, and see all your protected content then? The proper thing to do, is to only output the content from the server, if the user is authorized Commented Jan 22, 2016 at 17:58

2 Answers 2

Reset to default
3

Do the redirect on the server side instead of returning any content to the client:

<?php
// check for auth, if not authenticated then:
header('Location: "http://example.com/customerlogin.php');
exit;
?>

Docs here: http://php.net/manual/en/function.header.php

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@superiorpancakes really :)
0

Your actual problem is the protected content is sent anyway.

Use the header function to send a Location redirect and exit your script right after.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.