0

At the moment I have a site with a few paths. There are the parent paths User, Admin and Login. User and Admin has a few child paths. To authorize a login, I send a request to my api which returns the authenticationLevel (1 for user or 2 for admin). Then I save this in sessionstorage as authlevel and logged in "true". For each path, I check if the person is logged in and which authlevel it has.

Now my question is, can the sessionstorage be edited by anyone (set loggedin to true and authlevel)? This would make it possible for anyone to view the pages which is a problem. How can I solve this otherwise? I've thought about making a request to the api for every path change but im not sure its a good solution.

Teh Swish
  • 99
  • 1
  • 12
  • 1
    Nothing is secure on the client side. Don't put too much effort into making the routes inaccessible in the case of edited storage. Instead check the token/session on the server before sending or receiving sensitive data to/from those routes (every time) – Dan Dec 17 '20 at 16:20
  • Oh thats true. If I secure the api with a token, they wont access the data anyways! Could you tell me tho how you would do it if it was a static webpage with hidden paths? – Teh Swish Dec 17 '20 at 18:24

0 Answers0