1

I'm new to React and I have taken some courses online. Can users change the state/props of components on a React app in production using console or react tools? My question is more related to security.

i.e. changing login credentials to access data that should not be accessible to them.

In PHP I would control this by storing users credentials in a session and then validating it using a middleware in backend. Since users have full control of what is on client-side, how could I prevent someone from changing credentials and access sensitive data?

EDIT: My approach would be to validade the credentials on backend and then store user data in a state, lets say in a state property called userId:

//after backend validation
if (credentialsAreValid) {
  this.setState({userId})
}

How could I prevent a user to modify its ID which is stored in the state?

Rodrigo M.
  • 21
  • 1
  • 5
  • This might help: https://stackoverflow.com/questions/20963273/spa-best-practices-for-authentication-and-session-management – You Nguyen Oct 04 '18 at 15:10
  • @NguyễnThanhTú thank you sir, that is what I need. – Rodrigo M. Oct 04 '18 at 15:42
  • Changing the id on the client wouldn't do anything because surely your server doesn't return any data that the user isn't allowed to see. – JJJ Oct 04 '18 at 15:50
  • Yes, they can. No, you cannot trust any data that is stored on client side. It can be tampered. All sensitive actions should be performed on server side. A user can choose different `userId` but this shouldn't affect anything because a server didn't authorize a user to access this userId data. – Estus Flask Oct 04 '18 at 16:33
  • Thank you @estus for pointing it out. I didn't even know what to search for. – Rodrigo M. Oct 04 '18 at 17:57

1 Answers1

0

If validating the user (eg: during login) before storing server-side session variables only accessible to PHP, you should be fine. If storing the data in a cookie (or other client-side storage engine) it is open to spoofing.

Note: Cannot provide a better answer without seeing code that establishes session and where variables are stored (eg: provide example code).

Mavelo
  • 1,199
  • 11
  • 16