Every web application has two sides. The client side and the server side. Everything on the client side can be changed, and most of the security problems happens when you trust in the client. With a simple proxy (like webscarab) you can edit the fields that were validated using javascript. That’s why you always need to validate the data on the server side. Play Framework has grown to be a great framework for this, giving advantages such as using annotations to control the type of data that came from the client side.
So, a great way to think out of box is to use those validation features inside the model, that every good MVC Framework has, and don’t trust to much on using hidden fields in the HTML that when changed can affect other users inside the web application. For instance, if you have an hidden field that has the id of the user, and if I change that, I can change others users data.
So, in conclusion:
- You can use cookies and sessions to know which user is authenticated (inside the model you can have the stuff he can do on the web application)
- Don’t trust in the client side. Use always server and client validation
