0

I'm developing a single page app with Backbone.js and I was asking myself some question.

When I'm developing an app that relies on render pages on server I do know how to show some parts or not depending on the user is admin or not (just an example).

But now, I'm using Backbone.js and underscore templating to create the views... so.... I could create a cookie that says... ok... is the admin, but anyways, someone smart-enough could just change the cookie value. I'm able to solve it just creating a check in the server side that the user is allowed to do that.

Other chance I'm thinking about is to ask the server for this concrete pieces of code and just paste them in the right site

What do you think?

Thanks

Javier Manzano
  • 4,761
  • 16
  • 56
  • 86

1 Answers1

2

Your scenario is not entirely clear to me, but in general: If the server divulges "secret" information or allows restricted actions without having verified itself that the user is allowed to see something/do something, that's a security hole. Authentication will have to happen in the established ways: user logs in on the server and receives a secure (enough) token, e.g. a session cookie. The server then only sends information that the user is allowed to see to the client and only allows actions the user is allowed to do.

Anything client-side is always, by definition, insecure. A secure client-side-only authentication system does not exist. The server must not take the client's word for who he is. No critical action must be performed on the client without the server being able to verify that action.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • Ok, maybe I've explained myself very bad (I don't speak english very well). – Javier Manzano Aug 30 '12 at 14:56
  • I'm using session cookies, but I don't know how to do in a single page (in which all is done client side) to render different templates depending on the role of the user – Javier Manzano Aug 30 '12 at 14:57
  • Well, the server is preparing the code/information in some form, right? You'll need to have something like `if (user == admin) { output code to generate admin pages } else { ... }` on the server. If the client is making any AJAX requests to the server to request information, the server needs to check the credentials and only return the information if the credentials are in order. – deceze Aug 30 '12 at 15:00
  • I'm using session cookies, but I don't know how to do in a single page (in which all is done client side) to render different templates depending on the role of the user... – Javier Manzano Aug 30 '12 at 15:08