node.js - JavaScript code substitution on client side -

i'm learning new technologies (such node.js, socket.io, redis etc.) , making simple test applications see how can work.

my question security on client-side javascript code: example, have chat-server on node.js+express , when user connects chat, server should assign registred username (authorisation through oldschool php+mysql used) socket. question is, can user modify client-side script , connect chat under different users' names?

some code given below:

(server-side part of assigning username, getting username client-side call)

// when client emits 'adduser', listens , executes socket.on('adduser', function(username){     // store username in socket session client     socket.username = username;     // store room name in socket session client     socket.room = 'general';     // add client's username global list     usernames[username] = username;     // send client room 1     socket.join('general');     // echo client they've connected     socket.emit('updatechat', 'server', 'you have connected general');     // echo room 1 person has connected room     socket.broadcast.to('general').emit('updatechat', 'server', username + ' has connected room');     socket.emit('updaterooms', rooms, 'general'); }); 

(client-side part of sending username server, looks 'var username = "user";' particular user)

yii::$app->view->registerjs('var username = "'.$user->identity->username.'";', yii\web\view::pos_head); 

(connect function)

chat.on('connect', function(){         // call server-side function 'adduser' , send 1 parameter (value of prompt)         chat.emit('adduser', username); }); 

so question is: can user change (for example, through chrome development tools) username in line 'var username ...' , connect chat under different name?

p.s. particular situation example, obviously, changed nicknames in chat not more simple joke, similar situations can appear in other projects...

supposing variables protected in closures , it's not trivial change them typing username='root' in console, user replace whole code.

everything happens client side totally out of control.

the news solutions not involving duplicate authentication. supposing authenticate user in express application, can session , user that.

see how in chat server :

var sessionsockets = new sessionsockets(io, sessionstore, cookieparser); sessionsockets.on('connection', function (err, socket, session) {     function die(err){         console.log('err', err);         socket.emit('error', err.tostring());         socket.disconnect();     }     if (! (session && session.passport && session.passport.user && session.room)) return die ('invalid session');     var userid = session.passport.user;     if (!userid) return die('no authenticated user in session');     ... handling socket authenticated user }); 

basically, uses session.socket.io module propagate session standard http requests (authenticated using passport) socket.io connection. , isn't supposed provided user taken session/db/server.