Should I redirect to Login page or include it [closed]

Question

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 8 years ago.

Improve this question

I'm writing a web app that only requires a user to login on some pages. I've noticed that a lot of websites do one of two things:

1. Redirect their users to their login page and have a simple login check function on their pages that require their users to be logged in

2. Tell their users to visit the login page by giving an error page.

One thing I haven't seen so much is having the login page included into the check function and when it says the user is not logged in or has not just submitted their credentials then it includes the login.php file and kills the script so nothing else is printed.

So instead of website.com/login it shows website.com/somepage and that page is displaying the login.

I followed a tutorial that uses this method, what are the security risks of using this method?

Answer 1

what are the security risks of using this method?

Security risks are present when something is, well, insecure. An approach is not usually where security issues lie, but more in the code itself.
As long as your code is tight and there is no way for them to circumvent the code or trick their way around your login, then I see no issues with it.

So as long as your code identifies with 100% certainty what their logged in status is, then your code can simply perform an if/else: Check if they are logged in, IF yes show content, ELSE show either a login form on that page, or a link to a login page.

This way they never get access to sensitive data. The IF/ELSE is just as secure on the page that holds the sensitive data as it is on another page where you have the redirect, as either way, them getting the code or not is solely dependant on how secure your confirming their logged in status is.

Redirect seems a bit harsh if it's only a few pages. Automatic redirection to a login page is usually to keep someone out of a large section, rather than a single or few pages.

Just keep the code for the page where login is required clean, that is don't have login forms and form checking code all in the same page which is for something else (ie content).
If you don't decide to redirect them to a page (script) whose purpose is to action and control login, then at the least include a separate file that does all of this if deemed they're not logged in, but better to do a class, or at least function.

Whichever of the methods above you choose, make sure the login form and code is in a separate and designated area where the code can be reused.

Answer 2

Redirect on if when checking session array for lack of evidence of a successful login?

session_start();
if (isset($_SESSION['login']){
    if (!$_SESSION['login']){
        header('Location: login.php');
    }
}

Of course you could always include the code for the login attempt as an alternative to this method. This is just quick and dirty mind you and shouldn't be considered best practice.

Including code on a page is all well-and-good, however, judge its use carefully. By using a login, it is assumed that you're trying to protect sensitive information from prying eyes, or to ensure that the user is sent down a specific path. It is usually safer to redirect a user via the header so that no data is revealed to the user.