How to prevent the user visit the pages by changing the url?
Meaning user had to click the navlink or the link in menu to visit the page instead of changing the url.
As per testing, as a user after login the website, I’m able to change the url to visit the home page to skip the 2fa verification.
Flow: login > 2fa > home
After login, I will redirect to the 2fa for the token verification, but if I change the url from 127.0.0.1:8000/2fa to 127.0.0.1:8000/home, I’ll able to visit the home page without the verification.
But now what I’m facing is if the user is a must to go through the 2fa, and if the user change the url from https.../2fa to https.../home, then the user will skip the 2fa verification.
So, any way to stop this kind of changes (not allow user change the url when they is in 2fa or even they change the url will still return to the 2fa)?
I find myself grappling, After logging in and navigating through a robust two-factor authentication (2FA) process, I was surprised to discover a vulnerability. It appears that users can manipulate the URL to bypass the 2FA verification and directly access restricted pages. Here’s the flow: log in > 2FA > home. After passing the 2FA stage, I’m able to alter the URL from /2fa to /home , granting me access without undergoing the 2FA process again.