Reputation: 417
Security risk when setting authorization in state for a member page
I have a solution with a page only member should have access. To get to that page user needs to input their username and password which gets sent to the backend, which in turn returns a true or false which will set in a state "isAuth".
If the state "isAuth" is true, the user will be redirected to the member page. It works, but it very easy with, for example, react developer tools change the state to "true" and thus get redirected without even inputing a username and password.
Is it any way to handle state in a more safe and non-manipulative way?
Upvotes: 0
Views: 42
Answers (1)
Reputation: 39212
The only way to make it secure is to keep the secure content for the member page on the server unless the user authenticates. Make the member page have no real content and have it make API calls to the server to get its content. The server will only provide the content if the API calls include valid credentials for the user.
Ideally your authenticate input would return a token (such as JWT) that the UI can pass back to the server when requesting member page content. The server would only return the content if the JWT were valid. Alternatively (less ideal) would be for the UI to send the credentials with each request. Basically setup HTTP Basic Authentication.
Upvotes: 1
Related Questions
- State rendering issue, is this the right pattern?
- React authentication handling
- Role Based Authorization in Reactjs
- React Application and User Roles
- Authorize React Components for Users by Role/Permissions
- Can hackers impact information inside state?
- is it safe to use react js state to store token of authenticated user?
- How to use role based authentication on client side reactjs?
- How can I secure roles passed to react?
- ReactJS - Hide part of page under authorization