security - PHP Login page and home page in single page, is it advisable? -

-

i have simple web app , did login page , homepage in 1 page. here scene:

#php login script goes here inc. database config , authentication if(!login()) {  <html> <head> <title>homepage</title> <css goes here> <js goes here> <body>  [ login form goes here ]  </body> </html>  } else {  #php main page script goes here inc. database config , authentication <html> <head> <title>homepage</title> <css goes here> <js goes here> <body>  [ main page if login ]  </body> </html> }

my question is, advisable chop instead of redirecting different/success page? affect speed , security or vulnerability?

there vulnerability if form posts index.php.

this because susceptible in following scenario:

  1. alice logs in , views logged in home page news.
  2. alice's login session times out.
  3. alice goes lunch.
  4. carol loads browser's developer tools , clicks refresh.
  5. the browser resubmits post data login form.
  6. the username , password visible in browser tools of carol makes note of use maliciously @ later time.

this example scenario , why owasp recommend redirecting after login, prevents post data being cached in browser.

in above example carol execute attack after renewing session alice had thought had timed out, or if alice had logged out explicitly carol have clicked logged in home page , refreshed , post data refreshed in scenario.

however, if redirect user, same page, there no http 200 response login credentials not cached.


Comments

Post a Comment

Popular posts from this blog

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp
Read more

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

android - How to disable Button if EditText is empty ? -

-
i have edittext , button in application. when button clicked,the text entered in edittext added listview. i want disable button if edittext empty.how ? this code button click imagebutton imb=(imagebutton)findviewbyid(r.id.btn_send); imb.setonclicklistener(new onclicklistener() { @override public void onclick(view arg0) { edittext et = (edittext)findviewbyid(r.id.edittext1); string str = et.gettext().tostring(); web1.add(str); toast.maketext(shoutsingleprogram.this, "you entered...."+str, toast.length_short).show(); adapter1.notifydatasetchanged(); et.settext(""); } }); } how can ? edittext1.addtextchangedlistener(new textwatcher() { @override public void ontextchanged(charsequence s, int start, int before, in
Read more