3

Let's assume that I load a filtering page, and based of an earlier set cookie, I want to reload the page by adding a few query parameters to my url. Something like this:

<head>
    <script>
        if (need_to_load_with_different_params) {
            window.location.href = window.location.href + params_from_cookie;
        }
    </script>
</head>

I don't remember seeing web applications using this kind of pattern. Is there a good reason for that? Should I move such logic to server-side by all means?

(using jquery.cookie to simplify cookie reading if that makes any difference)

peterh
  • 11,875
  • 18
  • 85
  • 108
DDan
  • 8,068
  • 5
  • 33
  • 52
  • 3
    You may see a FOUC, but there's no issues with that code. It would be better to do this server side though, if possible. – Rory McCrossan Nov 12 '15 at 09:48
  • Thanks @RoryMcCrossanm, you are right, I am doing it on server side. – DDan Nov 12 '15 at 10:21
  • 1
    In order to be able for anyone to answer your question you will first have to explain what "dangerous" means in this context. – PeeHaa Nov 12 '15 at 10:29
  • I updated my question, is it still considered as unclear? – DDan Nov 12 '15 at 10:37
  • Not so much unclear as it is broad. I could write a book about "security problems, maintenance problems, user acceptance issues". – PeeHaa Nov 12 '15 at 10:39

1 Answers1

3

As commented by @Rory McCrossan, it would be better to do this server side.

Several reasons for that:

  • The user could have JavaScript disabled
  • The navigation will feel much cluttered (client request -> server response -> JavaScript parsing -> client request -> server reponse -> HTML parsing before actually having the whole page)

Original Answer: It shouldn't be considered secure: in any case the rest of the content of the page will be downloaded by the user (if JavaScript is disabled, the redirect won't happen)

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
oliverpool
  • 1,624
  • 13
  • 30
  • What makes it not secure in specific? Sure the user could see content before the redirect fires, but how is that not secure? – PeeHaa Nov 12 '15 at 10:28
  • 1
    If the content in the body should not be accessible by unauthorized users (and if that verification is made in JS). *Considering the changes in the question, my answer is now quite irrelevant* – oliverpool Nov 12 '15 at 11:19