I'm developing an eCommerce application. A page's content is written to the page from the server, to ensure the search engines see it.
On the client-side, I add event handlers to various elements on the page. Some of these event handlers should only be present if the user is logged in - i.e. the menu should only be draggable (for reordering) when an appropriately authenticated user is logged in.
However, I'm conscious that any variable on the client-side indicated whether the user is authenticated or not is susceptible to manipulation by a hacker. Thus, how do I ensure the security of my application?
Is the following a common solution: I pass a value (i.e. 'authenticated' or 'not authenticated' to a hidden input on the page, and use this value in client-side code to determine whether to attach the event handlers. Hackers can of course thus gain access to the interface. But then any execution of server-side code via AJAX first require authentication with a Session Variable. i.e. if the user isn't authenticated on the server side, the code doesn't get executed?
Thanks,
Iain
On the client-side, I add event handlers to various elements on the page. Some of these event handlers should only be present if the user is logged in - i.e. the menu should only be draggable (for reordering) when an appropriately authenticated user is logged in.
However, I'm conscious that any variable on the client-side indicated whether the user is authenticated or not is susceptible to manipulation by a hacker. Thus, how do I ensure the security of my application?
Is the following a common solution: I pass a value (i.e. 'authenticated' or 'not authenticated' to a hidden input on the page, and use this value in client-side code to determine whether to attach the event handlers. Hackers can of course thus gain access to the interface. But then any execution of server-side code via AJAX first require authentication with a Session Variable. i.e. if the user isn't authenticated on the server side, the code doesn't get executed?
Thanks,
Iain