DEV Community

loading...

Discussion on: Using JWTs for Authentication in RESTful Applications

Collapse
perrydbucs profile image
Perry Donham Author

The httpOnly flag on the cookie is what prevents the client from being able to see it; no reason not to send other cookies on the response that are visible, or an object that contains the info. I tend to treat the front end as just view, so there wouldn't be any front-end permissions checking -- the front end would only receive data appropriate for the role of the authenticated user.

Same with CSRF, from the front end's viewpoint it is only talking the the app on the back end, so there are no CSRF issues.

This reminds me of a demo that I sometimes do where I show how many websites, especially media (newspapers, etc), do a subscriber check on the front end in Javascript. Flipping the isSubscriber variable is trivial (or just turning JS off) to read the 'subscriber only' content.

Can't trust the client.