I am currently in the process of creating a session cookie for my user. To do this, I send a request to my backend API with the hope of receiving a token in return. Once I have obtained this token, I need to store it in a cookie to establish the user's session. However, alongside the token, additional information is also returned such as the screens that the user will have access to. I am seeking advice on how to securely handle this information without exposing it or the function responsible for generating the cookie. It is worth noting that I am working with TypeScript and using "cookie-universal-nuxt" to manage cookies. Additionally, I have created a custom plugin to process the information and create the cookie. The API request is being made from the client side.
Although I have identified some potential solutions to this issue, I have not tested them as they seem somewhat makeshift to me.
Edit:
The primary concern is ensuring complete isolation of the session. While the current session setup is secure once established, there exists a vulnerability due to frontend manipulation when constructing the cookie. This manipulation occurs on the client side, allowing users to access both the backend response and the function responsible for building the session cookie. I aim to enhance this security further by preventing any frontend manipulation that could lead to fake sessions. While the cookie itself is robust, I would like to conceal the frontend function used to construct the session to prevent users from viewing API data or crafting counterfeit sessions. To achieve this goal, I believe running the API request from the server side and concealing the explicit API response could be a viable solution.
This question was generated using Google Translate and originally written in Portuguese (Brazil).