Prevent from unauthorized access to .html site using the only Javascript

Question

I am a beginner in web development. I create a project only in HTML, CSS, and Javascript. My task is to create the login page and main page, but the user can access the main page only when he is logged. In the backend are database connector scrip, a login script, and script which checking user is logged.

Before the user opens the main page script creates a request and gets a response from the script in this format:

{
     "logged": true, 
     "uid": 123456
}

I parse JSON and if logged is false I redirect to the login page using window.location.replace().

Is this approach prevent from open the main page when the user is not logged?

I am asking because clients can modify Javascript files in a web browser.

I know that it is easier to create this in PHP using the location header and it can't be modified by the client, but I can't make it in this way.

Answer 1

I am asking because clients can modify Javascript files in a web browser.

Not really. But yes, a check such as what you describe is easily circumvented client-side.

The rule is this: Anything that should not be visible to the user if they aren't authorized and authenticated must not be sent to the client at all unless that authentication has been provided. So the request for the "main page" from the server must be allowed or disallowed by the server, and served non-cacheable.

Usually the page itself isn't all that protected, but the information you show on the page is. E.g., the page is the scaffold and layout and such, but the protected information it shows is provided using ajax or similar, and only when the user has been authenticated.