Answer by Jessica for Redirect to login page if authorization required --...
We could attempt to mask this by redirecting ALL requests to the login page, except for the public pages. But this becomes silly as all junk requests will happily return HTML.You are trying to keep the...
View ArticleAnswer by John Wu for Redirect to login page if authorization required --...
Use status 404.5 - Not Found + Denied by request filteringYou can return HTTP status 404.5 "Denied by request filtering." This is accurate since your site denies any requests to non-public URLs based...
View ArticleAnswer by Mike Ounsworth for Redirect to login page if authorization required...
I agree with Tom's answer that this seems like a bizarre threat model.Worrying about attackers enumerating static URLs implies that:The web app is on the internet (or at least accessible to attackers,...
View ArticleAnswer by Austin Hemmelgarn for Redirect to login page if authorization...
The correct solution is to issue the redirect regardless of the status of the target URL if the user is not authenticated. This is easily doable for any normal web server (you set up a redirect rule to...
View ArticleAnswer by Stig Hemmer for Redirect to login page if authorization required --...
I don't think this is a serious flaw (see Tom's answer).However, if you think it is, the problem can be avoided.You have a list of "publicly available URLs", such as /about.For all other URLs, you...
View ArticleAnswer by Simon Richter for Redirect to login page if authorization required...
The solution to this is to redirect anything that is not a public resource to the login URL, including nonexistent pages.
View ArticleAnswer by Tom for Redirect to login page if authorization required --...
What is your threat model?With a blanket approach you won't solve your use case. Correct, if you do as you describe you allow an attacker to enumerate your valid pages, theoretically. Does he have an...
View ArticleAnswer by Sufferer for Redirect to login page if authorization required --...
The usual thing I have seen is to reload the login page once the session expires. Like how your bank does "you've been logged out due to inactivity". This prevents your issue with 404* on refresh.don't...
View ArticleAnswer by Bubble Hacker for Redirect to login page if authorization required...
There is no correct solution as every site has there own things going on,but I'll give my two cents on how you can tackle this.Usually sensitive pages are behind a directory or on a separate subdomain...
View ArticleRedirect to login page if authorization required -- security flaw?
Suppose we have a site that has public and private areas. The private areas require login.For example "www.site.com/about" is publicly accessible. But "www.site.com/message_inbox" requires...
View Article
