PHP Login page and home page in single page, is it advisable?

Question

i have a simple web app and what i did is the login page and the homepage are in one page. Here is the scene:

#PHP login script goes here inc. Database config and Authentication
if(!login()) {

<html>
<head>
<title>Homepage</title>
<css goes here>
<js goes here>
<body>

[ Login form goes here ]

</body>
</html>

} else {

#PHP main page script goes here inc. Database config and Authentication
<html>
<head>
<title>Homepage</title>
<css goes here>
<js goes here>
<body>

[ Main page if it is login ]

</body>
</html>
}

My Question is, is it advisable to chop like this instead of redirecting to different/success page? Does it affect speed and security or vulnerability?

Answer 1

There could be a vulnerability if your form also POSTs to index.php.

This is because it is susceptible in the following scenario:

1. Alice logs in and then views your logged in home page for any news.
2. Alice's login session times out.
3. Alice goes for lunch.
4. Carol loads the browser's developer tools and then clicks refresh.
5. The browser then resubmits the POST data from the login form.
6. The username and password are visible in the browser tools of which Carol makes a note of to use maliciously at a later time.

This is an example scenario and it is why OWASP recommend always redirecting after login, as this prevents the POST data from being cached in the browser.

In the above example Carol could simply execute their attack after renewing the session that Alice had thought had timed out, or even if Alice had logged out explicitly Carol could have clicked back to the logged in home page and refreshed and the POST data would also be refreshed in this scenario.

However, if you redirect the user, even to the same page, as there is no HTTP 200 response the login credentials will not be cached.

Answer 2

There is no security risk in this. ( Basically )

However this is highly not advisable because it is bad practice. If you're working on a small project / app all by yourself, then maybe you can use this approach if the looks of it are not bothering you.

Answer 3

Looking at the example code you presented, I see you are already using a login() function to decide if someone has logged in. I would change that function (or create a new one) so that if a user is NOT logged in, it will send a header redirect to a login.php page, and terminate the script.

This way, you dont have to do the IF ELSE on every single page on your application.

function CheckLogin(){
    // do your login checks here, if user is not logged in, redirect to login.php
    header('location: http://mysite.nl/login.php');
    die(); // terminate the entire script.
}

A page would look like:

<?php 
    //PHP login script goes here inc. Database config and Authentication
    CheckLogin(); // ^^^^^^ The CheckLogin() function was included from there ^

    // Contents of the page, wether it be home, a photoalbum or anything you can imagine!
?>

On the login page, you would want to remove the CheckLogin() function.