Session and layout variables security

When developing content for the IPF portals, you may need to include sensitive data in a session or layout variable, which should not be visible to the client. To make this data secure, you must use the ServerLayoutVariables and ServerSessionVariables provided by IPF. Any data that uses the IPF ClientServerLayoutVariables or ClientServerSessionVariables cannot be trusted, because the client could modify the data manually before sending it back to the server. Also, any data that uses the IPF ClientLayoutVariables and ClientSessionVariables should not be trusted, since the client could modify it manually.

As explained in Session and layout variables naming, existing custom code that used the SessionVariables name is changed to use the ClientServerSessionVariables name during migration, and existing custom code using the LayoutVariables name is changed to use ClientServerLayoutVariables. This is to make sure your custom code is recognized and works after the migration. However, these are not trusted variables, so you must update them after the migration, if they are to be secure.