Is it right to grab the html code from json, when you have successfully logged in?
Is javascript deciding if the user is logged in? or does it have to ask the server, and the server decides?
All html codes are defined in the source code. The problem is the html elements for logged in are always avaible, but not the sensitive content of course.
I might be misunderstanding you, but this sounds like your “sensitive” content is always on the webpage, but hidden until revealed with javascript. If this is the case, then it doesn’t matter how you handle login/authentication, because the content is already available.
If you need more help with this, you’d probably need to show us the code in question.