In my honest opinion using Javascript sessions is wrong.
Ossi Pesonen
22

What you’re describing is correct. Anything that lives on the client (in the browser) can be tampered with. Yes, one would be able to change it’s own role and access ‘admin’ screens. However your back-end API should ALSO verify the authenticity of requests and return an appropriate (e.g. 401 unauthorized) response. The net effect is that the attacker will not be able to fetch any private information (in JSON), nor be able to make any changes.

Template files (HTML) and JavaScript code are not considered to be private and can therefore be accessed by anyone. Thats why you should NEVER have any private information in your templates and JavaScript files. In some cases this means you cannot put certain business logic (secret business formulas) in your client-side app, those will have to be implemented on the server side.

Your problem is not with JavaScript sessions (whatever that means, I’m assuming client-defined cookies or localstorage); using server-defined cookies or token-based authentication is not going to be any different. If you don’t want to make your AngularJS source code available to everyone, you’ll have to put the entire thing behind a (server-side) login (e.g. HTTP Basic Auth) or a firewall.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.