How to protect javascript variables from being manipulated when posting to server?

I'm building a simple mvc application in ASP .NET and I would like to keep all the user data of a session on the client side, i.e. that at each time the page is loaded the variables restarts from zero (for example, points in a game). That data would then be sent to the server side (as a post) to be treated and then returned to the cl开发者_开发技巧ient. I'm doing this as to not use a database and gain performance.

However, how can I ensure that this data can't be manipulated before being sent to the server? Excuse me, I'm kind of new to all this.

Thanks

Everything coming from the client can be manipulated, including javascript variables, FORM variables etc.

Always treat anything coming from the browser as untrustworthy. Always check if caller has access to the resource which is being requested, for every HTTP request. This is the cardinal rule for all web applications. It is generally done in the filter so, it is not so bad.

You could embed an HMAC in the data sent to the client so the server can verify it hasn't changed when the client sends it back later. But you also have to worry about things like replay attacks — even if a malicious client can't change the data, it can send old data that it received several reloads ago.

You say you're trying to gain a performance advantage by not using a database, but have you actually evaluated database performance and found it to be too slow? This sounds like you may be choosing a weird design for your application based on an unfounded assumption.

You can't, the best you can do is validate them on the server side and make sure they dont contain any malicious characters, you could also use a hash to verify the variable has not been modified manually, although they will still be able to change it.

There isn't a way to protect or preserve values of JavaScript variables when the page is posted back.