标签云

微信群

扫码加入我们

WeChat QR Code

Lets say I have the url http://localhost/home and this is the standard url of a page.When a user logs in they are redirected to http://localhost/admin/home.This URL without any routing is actually more like http://localhost/admin/panel/index/home.Where admin is a folder, panel a controller, index a function and home an extension to give the view.Can I theoretically check if a user is logged in depending on if the rsegment(2) is equal to 'admin'? or can a user fake the url somehow to break the system.NB: The panel controller (inside the admin folder) has in its index function an actual login check I wan curious as to if a user would be able to trick the system into not running the index function, or is that secure.


So you're relying on security via obscurity?

2019年04月20日25分46秒

Why is this a question ? Never ever rely on URL structure for authentication. Period !

2019年04月19日25分46秒

Ah the good olde security by obscurity solution

2019年04月20日25分46秒

You should name it /please/dont/hack/me :3

2019年04月19日25分46秒

Jai - so if i have understood this correctly: On your your site, if I go here yoursite.com/admin/panel/index/home, and i'm not logged in, I will be able to access the admin area? Always validate if the user is authenticated and has permission to view the requested resource.. Always.

2019年04月19日25分46秒