How to prevent a user from directly accessing my html page

Question

I have a login page that sends a request to a Python script to authenticate the user. If it's not authenticated it redirects you to the login page. If it is redirects you to a HTML form. The problem is that you can access the HTML form by writing the URL. How Can I make sure the user came from the login form with my Python script without using modules because I can't install anything in my server. I want it to be strictly with Python I can't use PHP. Is it possible? Can I use other methods to accomplish the task?

Is your backend written in Python? How is it serving up files? Because if you can intercept the serving, you can perform a check for if the user is authenticated (many, many ways of doing this) then perform a redirect. — Mike Cluck, Jan 29 '16 at 21:31
This is a fundamental security problem. Whatever framework you are using to generate the pages must check that the user is logged in (via a secure token) before returning every protected page. This requires that the entire session be encrypted (HTTPS) to avoid someone capturing the requests and replaying them. Unfortunately, explaining how to do this is much too broad a topic for a StackOverflow answer. Research "Session Management" on the web. — Jim Garrison, Jan 29 '16 at 21:43
I'm running my Python script in a linux server where it checks if the user is in the database. Currently I have it that if it's authenticated it prints the html form and I want it to redirect you instead of just printing the whole form — Pedro Cantu, Jan 29 '16 at 21:48

score 1 · Accepted Answer · answered Jan 29 '16 at 22:29

It's apparent to me that you only want to use Python, no frameworks etc... So the problem is that you are actually redirecting to an existing web HTML page. Don't do that, instead serve the HTML with Python itself.

# pages.py
class DefaultPage(object):
    def __init__(self):
        self.html = '''
        All Your HTML Here
        '''
    def self.display:
        return self.html

Obviously your using something to serve your Python, I'm assuming something simple like Google App Engine Launcher, in which case you can just write the class. Even if your using some other simple WSGI, the concept remains the same.

# main.py
import webapp2
from pages import DefaultPage
class MainHandler(webapp2.RequestHandler):
    def get(self):
        page = DefaultPage()
        self.response.write(page.display())

app = webapp2.WSGIApplication([
    ('/', MainHandler)
], debug=True)

score 0 · Answer 2 · answered Jan 29 '16 at 21:41

0

The best method to handle user login is to use tokens as cookies.
After the user successful login generate a token and send it to them , save this token in your "in memory" DB(if you are using something like django server)- https://docs.djangoproject.com/en/1.9/intro/tutorial01/ , it does it for you.
Each time the user access any internal page in your website check the user token which have been sent as a cookie header , if is found in your DB direct him to the requested page , else , direct him to the login page.
I can help you more if you give more details about your server(server type)

answered Jan 29 '16 at 21:41

Mostafa Wattad

61
5

I'm running my Python script in a linux server where it checks if the user is in the database. Currently I have it that if it's authenticated it prints the html form and I want it to redirect you instead of just printing the whole form. – Pedro Cantu Jan 29 '16 at 21:45
Do you have a control of the user redirection ? what about to redirect the user to the login page if he is not the DB? – Mostafa Wattad Jan 29 '16 at 21:53
I'm using javascript to redirect you to the login page in case it fails to authenticate. – Pedro Cantu Jan 29 '16 at 21:57

Raunak Agarwal · Answer 3 · 2016-01-29T21:44:12.407

0

What you just asked for is called Session Management. Here's the OWASP guide on it: https://www.owasp.org/index.php/Session_Management

You can use frameworks like Django written in python which already provide this security layer. https://docs.djangoproject.com/en/1.9/topics/http/sessions/

edited Jan 29 '16 at 21:44

answered Jan 29 '16 at 21:42

Raunak Agarwal

7,117
6
38
62

Link-only answers are highly discouraged. – Jim Garrison Jan 29 '16 at 21:42
1

I see, but isn't it valid ? – Raunak Agarwal Jan 29 '16 at 21:43
2

Links go bad over time. Answers on SO are expected to be useful to future users, so they should be self-contained. – Jim Garrison Jan 29 '16 at 21:48

score 0 · Answer 4 · edited May 23 '17 at 10:29

You have to add CSRF protection to disallow form submitting from untrusted sources. Dive into What is a CSRF token ? What is its importance and how does it work? question to understand how it works, also you can take a look on How does a CSRF token prevent an attack.

You can implement own csrf protection logic or use existing one like Django CSRF or Flask CSRF Protection etc.( it depends on technologies used on your project).

score -2 · Answer 5 · answered Jan 29 '16 at 21:39

-2

Make sure to check the "referer" header in Python, and validate that the address is your login page.

answered Jan 29 '16 at 21:39

Jason Spradlin

1,407
9
14

1

That can be easily faked. – Jim Garrison Jan 29 '16 at 21:40
By somebody who knows what they're doing, sure. – Jason Spradlin Jan 29 '16 at 22:08
Security by obscurity is not security. If it can be faked and the target has any value at all, it WILL be faked. – Jim Garrison Jan 29 '16 at 22:09

How to prevent a user from directly accessing my html page

5 Answers5