How to keep the client's state SAFE?
Following this question: Could a cookie that was generated from Javascript (not sent in a header by the server) be stolen / used by an attacker?
It drives me crazy.
How can client state be saved using FB access token?
It should be used to access resources on one own server as well as the FB server. Assuming js framework (Backbone / Marionette) and REST authentication are used.
It cannot be encrypted as such, and yet there is no other way than using a cookie to persist state on the client.
I've done a lot of research.
Every source mentions persisting state on the client to avoid server sessions, but I can't find a single source that explains how to do this safely.
If you know the answer, please share. Thank you.
source to share
You can safely store client information as long as the server delivers it.
You can encrypt or sign data with a private key that only the server knows and decrypts / verifies information using it.
However, by definition, you cannot securely store information that is also generated on the client itself. It's just a client playing with himself. Anyone can verify what exactly is going on, so you cannot sign or encrypt anything with any private key, because by definition, the key is no longer secret if you give it to every client. You also cannot trust any information that the client sends to the server, because the client is free to send anything to the server you want. You cannot trust the code running on the client because it is completely out of control.
source to share