I’m currently building an web application for a customer that uses a rich client. (Flex)

In this application, a user has a password, as well as a couple of other key attributes that are used throughout the system for identification purposes. (Eg., things like mothers maiden name).

A user logs on with their password initially. Then, throughout the application, whenever a user is about to perform a “destructive” action, they are required to enter one of these other identifying pieces of data.

My customer has requested I load these attributes after login, store them in memory, and perform validation against this data on the client, before making a server call that performs the destructive actions.

This strikes me as a potential security risk, as it’s possible (albeit difficult) to spoof the web client, and retrieve this data that is sent across the wire. My customer thinks I’m being paranoid and is urging me ahead.

Some key points to consider:

• The application is served over HTTPS
• All client / server communications occur over HTTPS
• This data is sent to the client only AFTER logon has occurred
• During logon, the session is issued with a secure cookie.

So, largely, the application is fairly secure.

However, my gut tells me that while it may be difficult to hack the data, it’s still less secure than if we didn’t send it at all, and validated on the server.

Am I being paranoid, or is this a genuine security risk?

If this is a valid concern, are there any best practice documents that I can point my client to, in order to substantiate my point?