0

I use Javascript to redirect to a file called handle.php which create a session for a user then redirect (this time with header() function of php) to the main page (where the user is then identified).

Here is the Javascript:

window.location.replace("handle.php");

In order, to prevent a hacker to execute directly handle.php I use this configuration in .htaccess:

Options +FollowSymlinks
RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC] 
RewriteRule ^handle.php$ - [F]

But this code does not prevent the hacker to replay the request to handle.php and to add Referer: http://localhost in the headers, allowing him to execute handle.php.

So, I need a way to allow the execution of handle.php only when it's in the proper workflow of my application, i.e when it comes from a redirection that is written in my code.

Thank you

juRioqs75
  • 159
  • 2
  • 8
  • you could use a csrf token, http://stackoverflow.com/a/31683058/2535531 – DRC Apr 02 '17 at 18:42
  • Why not call the main page directly (if it's PHP), and require once the handler.php file? You could set a constant in the main page and then check to see if it exists in handler.php, if not die with an unauthorized message. – Sloan Thrasher Apr 02 '17 at 18:51
  • @DRC How would you use it according to my problem please ? – juRioqs75 Apr 02 '17 at 18:51
  • @SloanThrasher Ok I see your point, but why would you use `require_once` instead of `require` ? – juRioqs75 Apr 02 '17 at 18:55
  • @SloanThrasher I just tested your solution, but I already include another page in my main page, and I get an error calling this latter, I am not sure that I can include several files – juRioqs75 Apr 02 '17 at 19:06
  • Without seeing what your code looks like, I don't know either. You should be able to call the php file near the start of your main page (if it is php). Also, you didn't say what the error is that you got when you tried it out, or what line caused the error. – Sloan Thrasher Apr 02 '17 at 19:10
  • @juRioqs75 could I ask why someone could not call handle.php directly? your authentication should be independent of that redirection/flow. the script that authenticates your user should also set something in the session to tell your user has logged in. – DRC Apr 02 '17 at 20:07

0 Answers0