I am trying to figure out how to store some user information which will control content visibility in a way that will:
- Not require constant trips to the server to query SQL to see what the user does/does not have access to AND
- The user cannot edit in the browser’s developer tools/console
Cookies, Query Strings and even HTML5 Local Storage or SQLite are all great storage options, but they can all be edited by a tech savvy user. How do I control content based on a user’s security level while limiting queries and preventing users the ability to hack around it?
The only way to prevent the user from seeing specific content is to validate their access to the content server-side and not render it to them. Any client-side validation can be circumvented. Even if you devise a way to locally store information that the user can’t see, you’d still be sending the content to them and using client-side code to check that value.
The user can see any content you send them.
You don’t necessarily need to make constant trips to the SQL database to check roles and permissions. You can persist some cached roles and authorizations server-side, such as in the session state, and validate against those for the life of the user’s session. At that point you’re not incurring a performance cost because the user is requesting pages anyway. With each page request, you would simply determine what the user can or can’t see in the response.