Here's a security question

Forum Moderators: coopster

Message Too Old, No Replies

Here's a security question

Gilead

4:56 pm on Nov 25, 2011 (gmt 0)

In my application, I'm checking to make sure people aren't able to get into areas they do not belong. I'm checking the session variable and if it equals a user, I'm using the meta refresh with tine set to 0. It is still enough time to take a screen capture of all the admins. If I use the header(location) it says headers are already sent. The possibility of hacking is very remote, however I want to do my best to guard against it. Any thoughts?

Thanks!

rainborick

7:59 pm on Nov 25, 2011 (gmt 0)

The best solution, of course, would be to structure your site so that there's little or no opportunity for users to find or access an admin-type page. And if they do try to access such a page, the script should not send any content that could be abused or hacked.

If header() says "headers already sent", then some part of your page/script has already sent some HTML to the user. The common solution would be to move the check-for-user code higher in the script. Depending on the structure of your pages, this might not be simple or practical, but would probably be the next best solution if you can manage it.

Using <meta> refresh is not at all secure since browsers can be set to ignore this code.

I'm sure others here with more experience will have some additional suggestions. Good luck!

wheel

8:03 pm on Nov 25, 2011 (gmt 0)

Why not just .htaccess protect the sensitive areas, and only allow access by IP.