When authenticating what is the point of JavaScript validation if the server must always check the credentials?

Question

I have a form users fill out and JavaScript is used to validate the input (e.g. makes sure the password field isn't left blank). Since JavaScript is client side and not compiled anyone can easily mess around with it. Does this mean it's necessary to validate data from the user again on the server? If yes, is there anyways it can be made more efficient since JavaScript (theoretically) already did it?

Answer 1

Yes, you MUST validate both in client side and server side. You must think in terms of progressive enhancement. Think of Javascript as just a layer for enhancement and not a necessity. Because it's always upon the discretion of the user to disable Javascript in their browser, rendering your Javascript code useless.

A plus in client side validation is you're saving roundtrips to the server validating if the username or password is empty which can easily be done in javascript.

Answer 2

short answer: yes and always!

read about PDO, SQL injection, UUID, tokens, MD5, SHA, Cross-site request forgery...You have a whole new world to discover! :) I mean it in a good way. Learn about this and you'll build more secure websites

You always need to keep this in mind: Never trust user input data. Never. So you have to perform extra validating process in server-side.

Answer 3

I can disable any javascript on your page just with a click of the mouse. I can even totally bypass an HTML form and send data directly to your server.

For example, if you retrieve data with $_GET I can bypass your form (and the javascript validation) just by messing with the address bar. Don't think that using $_POST would change this: it just a matter of writing an HTTP request.

So, yes... Never trust user input, even if sanitized with javascript.

As somebody posted above, javascript validation can prevent legitimate user errors (thus save the trip the wrong data would have done to your server and then back to the user) but malicious users will still be able to bypass it VERY easily.

Answer 4

Yes, it is necessary to validate data on the server because it can be messed with by end users client-side.

If yes, is there anyways it can be made more efficient since JavaScript (theoretically) already did it?

It is already more efficient than having only server-side validation, because you avoid a lot of round-trips for validation by having client-side validation (you only need to submit the data once, and unless validation was incomplete or disabled, it will go through straightaway). Provides a better user experience, too.

You cannot do away with server-side validation (if you care about the data). If the data only ever goes back to the same user and is not shown or used anywhere else (and has no potential to break anything on your system), you could relax this a little. As as extreme example, Dropbox probably does not care what files you upload, so they don't validate if the HTML you upload contains malicious Javascript.

Answer 5

Yes, to be safe you will need to add server side validation.
Nothing that is expected to have been done on the client side is guaranteed so you will need to repeat anything that is important.
Additionally there are things that are likely to be evaluated on the server side but not on the client side. Things like checks for SQL injection fall into this category.

Answer 6

The user certainly can disable JavaScript. It is also very easy to mess with it as the source code is right there. The user can also run arbitrary JS, making it even easier to mess with your stuff.

Therefore, you should always do server side validation as well. Client side validation should only be used as convenient information for the user. Never trust it as your only security source.

Answer 7

Yes absolutely. It is still possible for someone to intercept the form and modify values before re-posting to the server.