Breaking down the possibilities of breaking in.
But what if you need a little security without involving the server? Is that possible?
For example, say you've got a client-side routing system and you want a concrete route to be protected for logged-in users. So you ping the server asking if you're allowed to visit protected routes and you go on. The problem is that when you ping the server, you store the response in a variable, so the next time you go to a private route, it will check that if you're already logged in (no ping to the server), and depending on the response it will go or not.
How easy is for a user to modify that variable and get access?
Via Jan Hesse