0

I am building a blog website, from scratch, so I am not using any frameworks, only plain html, css, javascript and php.

What is the "good habit" and secure way to check in Javascript if an admin or any user is logged in? For example, if a normal member is logged in, I don't want to show buttons / pages like "New post", or "Delete post". Now I do it with ajax, I call my router.php (all get and post request are handled there), and send the client's cookie to the server, where router.php checks if the cookie["token"] is equal to session["token"], and only then it sends back information (username and member-status into ajax's success function) to Javascript, and there I do something like if(username == "admin") then show "Delete button". Code:

if(document.cookie.indexOf("token") != -1){ // check if cookie["token"] exists
    $.ajax({    //create an ajax request to router.php
        type: "POST",
        url: "../php/router.php",  //cookie_check data only
        data: {"cookie_check" : document.cookie.split(';')[1].split("=")[1]},    
        dataType: "json",              
        success: function(response){
            // sign in button transform to username
            var username = response[0]["username"];
            var status = response[0]["status"];
            $("#signInMenu").empty();
            var usernameList = document.createElement("li");
            usernameList.innerHTML = username;
            usernameList.className = "usernameCss";
            document.getElementById("menuNavId").appendChild(usernameList);

            // check which page is loaded
            var sPath = window.location.pathname;
            var currentPage = sPath.substring(sPath.lastIndexOf('/') + 1);
            if(currentPage == "posts.html" && username === "admin"){
                  //PLACE BUTTONS
            }
       }
    });
}

It works but I don't think this is the right way to do it. All my views are in .html files, the controllers are JavaScript which are included in the .html files and in them I call ajax, and there is only 1 php file which serves all the requests from ajax. Can you somehow explain the concept/good habit?

Giuseppe The Dreamer
  • 81
  • 8
  • 2
    Do it in php, use permissions/roles – B001ᛦ Mar 10 '20 at 15:54
  • 1
    I agree, you shouldn't do anything related to security in Javascript. Javascript can always be manipulated because it runs in the browser of the client. – KIKO Software Mar 10 '20 at 15:54
  • But how? The javascript do the "make-up", it is creating view/making buttons. You mean there is a way to make this happen in php? Maybe calling/writing javascript functions in the php file? I don't really get it – Giuseppe The Dreamer Mar 10 '20 at 16:57
  • 1
    Does this answer your question? [The definitive guide to form-based website authentication](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) – ArSeN Mar 10 '20 at 18:56
  • Its really helpful, thank you. In the meantime, someone gave me an idea: for every php call that modifies the database and/or change the page, I should check if cookie[token] is equal session[cookie], and if so, check (in php file) if the session[username] is admin, only then let the function run. So basically, they can "change" the JS code to see the buttons for modification, they will not be able to use it, because their session[username] won't be admin. What do you think about this solution? – Giuseppe The Dreamer Mar 10 '20 at 20:01

0 Answers0