Page 1 of 1

Security Issue

Posted: Tue Apr 20, 2010 5:31 pm
by RIGOLETO
Hi there,

I am having problems with users access, Just I have a browser sofware that has a sign on, is the user has been register in the user table then everything is good and the user can get in, well my problem is related with the access, once the user has entered then a new browser is shown, the problem here is if the user make a copy of the path browser and paste it in a new search, then the program ignore the SIgn On screen a go direct to the main menu.

How can I do to control my browser acces, I need that the user only can see the sigon and not the rest of browser

Re: Security Issue

Posted: Tue Apr 20, 2010 5:39 pm
by social_experiment
Are you referring to 'tabbed browsing' where a URL from one tab is pasted into another? This will only work on the same browser (assuming your authetication code is correctly done) and not in different browsers.

Re: Security Issue

Posted: Wed Apr 21, 2010 8:48 am
by RIGOLETO
My problem is related with the URL, for instace, if the user is in the main menu, previous sigon, then they can copy the URL and open a new browser and paste that URL, when they copy and press entrer my program go to the main menu and omit the Sigon screen, so I need to block and disabled the rest of browsers and all them should aviable only if the Sigon has been activated or sucessfuly

Re: Security Issue

Posted: Wed Apr 21, 2010 10:38 am
by social_experiment
RIGOLETO wrote:My problem is related with the URL, for instace, if the user is in the main menu, previous sigon, then they can copy the URL and open a new browser and paste that URL, when they copy and press entrer my program go to the main menu and omit the Sigon screen, so I need to block and disabled the rest of browsers and all them should aviable only if the Sigon has been activated or sucessfuly
If you are using session variable for your security your authorization checking page (or whatever checks whether are user is logged in) should check if these variables are set. One session that exists on for example Firefox, doesn't automatically exist on I.E on the same computer. A simple way to test this is to set a session variable, use a page to check it, then copy that url and paste it inside another browser. You will find that the existing session is only on that speficic browser. The url (or any values which might be carried in it) should only be useful AFTER you have checked that a user is actually logged in.

An basic example of an 'auth' script :

Code: Select all

<?php if (!isset($_SESSION['fingerprint']) || $_SESSION['fingerprint'] != $valueFromDatabase) { header('location: Unauthorized.page'); } ?>
At the top of each page that you wish to secure you have the auth script. So when the page is loaded after someone pastes the url, the script will first go and check :
1.Is $_SESSION['fingerprint'] set? No it's not so redirect the user.
2.Is the value of $_SESSION['fingerprint'] equal to the value from the database? No, it's not so redirect the user.
The good part with this type of script is the ||(OR). It will fail if EITHER one of these conditions are not met. If your script does the basic checking it wouldn't be necessary to remove browsers or block them (however this is achieved).

Re: Security Issue

Posted: Wed Apr 21, 2010 11:15 am
by RIGOLETO
Thanks I will try this snippet of code