Web 2 is (relatively) new and changes a lot of things from Web 1.
I’m curious about security in Web 2 - specifically, I’m very interested in knowing what data is kept server-side vs. client side.
For example, I have a Web2 app where some of the logic goes like this:
Button1.Action
if me.caption = "admin" then
// do something only administrators can do
end if
In other words, I’m using the caption of the button as a security variable. In a regular Xojo desktop app this is probably fine; in Web 2.0 this could be a very bad move. E.g. if the button caption is actually controlled by Javascript on the client side, then a hacker could easily mess with it.
I updated my app to do this:
Button1.Action
if session.IsAdministrator then
// do something only administrators can do
end if
…based on a (reasonable?) assumption that Session variables only exist server-side, and can’t be altered from a malicious javascript client.
But I’m not really sure about this.
Is there any easy-to-remember rule in Web 2 about what data is always kept server-side, vs data might be be alterable client-side?