I'm currently coding an intranet which is also accessible by the internet. With jQuery I managed that when the user types his email in the login screen, jQuery requests a PHP page (e.g. picture.php?u=username) and his profile picture appears, so he can check his. How can I prevent that a hacker directly calls my picture.php with all possible emails and checks if they exist? Should I delete this feature?
Show profile picture but don't show if account doesn't exist
158 Views Asked by DevTec At
2
There are 2 best solutions below
1
On
When the user logins into his/her account, the application should generate a random token and store it in the session. Whenever any form is displayed to the user, the token should be present in the page as a hidden input field. Application logic must check for the token and ensure that it matches the token present in the session. If no match is found that means someone is trying to access the url from outside of the application and you can simply exit from the script.
You could return a picture (in the php page) of a random user when the email does not exist so that the hacker can't see if an account with that email address exists.