How can I avoid accessing a web page by URL without having logged in, using only Javascript?

Question

How can I avoid accessing a web page by URL without having logged in, using only Javascript?

Navigation

#1 by (1 votes)
#2 by (0 votes)

1

Good morning, I'm making a website that asks to login, and after this, it is redirected to another page if the user exists. This is done through Javascript queries to an API, where the user and password are searched and if it is correct, it takes us to another page with the content. This is done correctly, but the problem is that I can access that private page by writing it directly in the url, that is, I can access the content by typing link (being panelPrivate.html something that should only be accessible by a previous user login).

function login(){

usuario = $('#textDNI').val();
clave = $('#passWeb').val();

if($('#textDNI').val() == ''){
    alert('Debe ingresar su DNI');
    return false;
}

if($('#passWeb').val() == ''){
    alert('Debe ingresar su contraseña');
    return false;
}else{

    var urlEnvio = 'ruta de la API'

var elementos = [];
axios.get(urlEnvio, {
 params: {
   user: usuario,
   pass: clave
 }
})
.then(response => {
   elementos = response.data;
    console.log(response.data); 
    console.log(response.status)
  if (elementos.count == 0) {
        alert('No existe el usuario en el sistema');
      }else{
        window.location.href = 'panelUsuario.html';
      } 
    });
   }

}

I would appreciate any help on this. Thank you very much in advance.

javascript

asked by AntonioMP87 20.06.2017 в 12:36

source

2 answers

stop javascript word generator Ionic - Onesignal - In handleNotificationReceived does not update my view

score 1 · Answer 1

If the private page is a static HTML you should configure that security that you comment on the web server and if they are dynamic, php, aspx, python, etc you should configure the security in them, validating that the request has some cookie / token or something similar to prove that a correct login has been made.

As a general rule, the security controls that you do in javascript, since this is a language that runs in the client's browser are not 100% reliable because they could always be altered by the user.

score 0 · Answer 2

From what I see in your code and in your explanation, "panelPrivado.html" is a generic web page for all users. If that is not the case, it would be interesting to know how you know which user has logged in. In addition to this, as you have seen in the comments, it is totally unsafe to handle this information on the client's side.

But since you have asked the question, and to literally answer your question, one possible solution is to run the same verification process before the "panelPrivate.html" page loads.

First, you would have to create a way to save the information already obtained, there are many options, but an option could be with document.cookie to create a cookie and be able to access the information later.

Then, on the page "panelPrivate.html" a javascript function should access these cookies, perform the same verification process by calling the function login and then redirect if the verification is invalid.

Again, this is a possible answer to your question and we do not recommend doing these checks on the client side.