I have a <script> in the <head> of an HTML file that checks to see if the user is authorized to view the page’s contents through a token cookie. The <script> is tagged with defer and immediately redirects the user if they are not authorized. Would a user or a bot be able to remove the defer tag and allow the page to load? Is there a better way to ensure a user is authorized before the page loads?
>Solution :
A user can absolutely bypass your mechanism. Likely in less than 30 seconds. You should never, ever, and I mean never, use the client side to be sure whether the client is logged in. Let’s say the user simply disables JavaScript. No more redirection. Because the code is run on the user’s computer, they can modify the code however they want.
The correct way (in your specific situation, things get different in other approaches) to do this is from the server. Use session, JWT, or some other auth mechanism, from the server. Redirect your client from the server. Only send data to the user if they are logged in.