I'm on the faculty at Boston University in the computer science department, where I teach software engineering, intro courses, and application architecture and development. Also a bit of a Deadhead.
The httpOnly flag on the cookie is what prevents the client from being able to see it; no reason not to send other cookies on the response that are visible, or an object that contains the info. I tend to treat the front end as just view, so there wouldn't be any front-end permissions checking -- the front end would only receive data appropriate for the role of the authenticated user.
Same with CSRF, from the front end's viewpoint it is only talking the the app on the back end, so there are no CSRF issues.
This reminds me of a demo that I sometimes do where I show how many websites, especially media (newspapers, etc), do a subscriber check on the front end in Javascript. Flipping the isSubscriber variable is trivial (or just turning JS off) to read the 'subscriber only' content.
Thanks for the detailed article perry! I never knew until now that most of the websites do a subscription check on frontend. I tried turning off the js and it stopped showing the subscriber check.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The httpOnly flag on the cookie is what prevents the client from being able to see it; no reason not to send other cookies on the response that are visible, or an object that contains the info. I tend to treat the front end as just view, so there wouldn't be any front-end permissions checking -- the front end would only receive data appropriate for the role of the authenticated user.
Same with CSRF, from the front end's viewpoint it is only talking the the app on the back end, so there are no CSRF issues.
This reminds me of a demo that I sometimes do where I show how many websites, especially media (newspapers, etc), do a subscriber check on the front end in Javascript. Flipping the isSubscriber variable is trivial (or just turning JS off) to read the 'subscriber only' content.
Can't trust the client.
Thanks for the detailed article perry! I never knew until now that most of the websites do a subscription check on frontend. I tried turning off the js and it stopped showing the subscriber check.