Web 2.0 Security Design

Web 2 is (relatively) new and changes a lot of things from Web 1.

I’m curious about security in Web 2 - specifically, I’m very interested in knowing what data is kept server-side vs. client side.

For example, I have a Web2 app where some of the logic goes like this:

Button1.Action
  if me.caption = "admin" then
      // do something only administrators can do
  end if

In other words, I’m using the caption of the button as a security variable. In a regular Xojo desktop app this is probably fine; in Web 2.0 this could be a very bad move. E.g. if the button caption is actually controlled by Javascript on the client side, then a hacker could easily mess with it.

I updated my app to do this:

Button1.Action
  if session.IsAdministrator then
      // do something only administrators can do
  end if

…based on a (reasonable?) assumption that Session variables only exist server-side, and can’t be altered from a malicious javascript client.

But I’m not really sure about this.

Is there any easy-to-remember rule in Web 2 about what data is always kept server-side, vs data might be be alterable client-side?

1 Like

To be fair, a user changing the caption of a button on the client side does not change the caption on the server. In Xojo’s controls, only the things that a user should be able to change are transmitted to the server.