i use meta http-equiv= refresh in my website to kick out the unregistered people to login page. For instance i have a place only for members who are logged in, and i redirect the people who want to see there with meta refresh to login page. But i want to learn that is it possible to break that and see the content there anonymously?
I'm using my function like
if($session == true){
// content
}
else{
echo "<meta http-equiv=\"refresh\" content=\"0;url=\"mywebsite.com/login\" />";
}
Thanks
Yes, it is possible and very easy. For instance, simply pressing esc when getting redirected will stop the redirect.
In general, you cannot rely on client-side techniques to prevent unauthorized accesses. The moment your Web server sends private information to the browser, you can consider its privacy compromised.
The only way to protect the content is to check on the server side that the user is logged in before outputting any content to the browser.
In PHP, you can do this before any content is sent:
if (!$session) {
header("Location: //mywebsite.com/login", true, 302);
die("Not authenticated, redirecting..."); // stop the script
}
// content