I’m working on the security provider part of a booking form. So there is no user email and password input as in a typical login process.
I’m wondering what is the best practice of how to handle this situation?
I have a current setup where the username and password for the Security Provider are field values taken from a table row. That table row is found in a database query searching for a unique 16 digit identifier for the particular event which is passed through to the booking form with a query parameter.
I’m wondering if the information that I’m using for username and password is visible on the client side (with names that don’t relate as such) whether a hacker could use it to get through the security provider mechanism, or if the Security Restrict step can only be passed by the action of running the specific server action it is placed in.
I hope this all makes sense! 
Antony.
Last updated: