Prevent user visit the pages by changing the url

Hi,

How to prevent the user visit the pages by changing the url?
Meaning user had to click the navlink or the link in menu to visit the page instead of changing the url.

As per testing, as a user after login the website, I’m able to change the url to visit the home page to skip the 2fa verification.

Flow: login > 2fa > home

After login, I will redirect to the 2fa for the token verification, but if I change the url from 127.0.0.1:8000/2fa to 127.0.0.1:8000/home, I’ll able to visit the home page without the verification.

Yes. The verification has to have a two step process.

One for logged in and the second for verified.

A user needs to be both in order to get through. If a user is not, then it needs to log out the user and redirect back to the login.

But now what I’m facing is if the user is a must to go through the 2fa, and if the user change the url from https.../2fa to https.../home, then the user will skip the 2fa verification.

So, any way to stop this kind of changes (not allow user change the url when they is in 2fa or even they change the url will still return to the 2fa)?

When a user is verified, you need to add a verified section to the flask cookie.

That way you can check it on the request.

I find myself grappling, After logging in and navigating through a robust two-factor authentication (2FA) process, I was surprised to discover a vulnerability. It appears that users can manipulate the URL to bypass the 2FA verification and directly access restricted pages. Here’s the flow: log in > 2FA > home. After passing the 2FA stage, I’m able to alter the URL from /2fa to /home , granting me access without undergoing the 2FA process again.

Hello @RyanLeon,

Yes, this is correct. In order for a user to be able to visit a site, they need to be both logged in and verified.

If you aren’t checking this process, then you will encounter this issue.

Hi @RyanLeon,

Do you find a solution to prevent such case happen?
Could you share it?