single page apps security issue

Question

I'm developing a single page app with Backbone.js and I was asking myself some question.

When I'm developing an app that relies on render pages on server I do know how to show some parts or not depending on the user is admin or not (just an example).

But now, I'm using Backbone.js and underscore templating to create the views... so.... I could create a cookie that says... ok... is the admin, but anyways, someone smart-enough could just change the cookie value. I'm able to solve it just creating a check in the server side that the user is allowed to do that.

Other chance I'm thinking about is to ask the server for this concrete pieces of code and just paste them in the right site

What do you think?

Thanks

Answer 1

Your scenario is not entirely clear to me, but in general: If the server divulges "secret" information or allows restricted actions without having verified itself that the user is allowed to see something/do something, that's a security hole. Authentication will have to happen in the established ways: user logs in on the server and receives a secure (enough) token, e.g. a session cookie. The server then only sends information that the user is allowed to see to the client and only allows actions the user is allowed to do.

Anything client-side is always, by definition, insecure. A secure client-side-only authentication system does not exist. The server must not take the client's word for who he is. No critical action must be performed on the client without the server being able to verify that action.