Why use Session as global variable? It raised Security question mark


#1

Apply Session array as global variables may raise security problems.

Today Security is one of the biggest problems for enterprise cloud applications.

Meteor may need to resolve all possible security concerns for enterprises to adapt Meteor platform.


#2

Everything in the client is inspect-able by anyone with access to the browser on that url.

The scope of data in javascript isn’t a security issue. There’s no data protection in client side javascript.


#3

But a black box in client may protect data from unauthorized access.
And there is miniMongo located in client need to be protected as well.

Meteor needs a security model to tell enterprises it is safe enough for their apps.


#4

All of that data is protected by the browser.

Meteor itself doesn’t actually store any data in the client. It sends JS that instructs a parsing application what data to store. The calling browser is responsible for the Storage API implementation ensuring its protection.