- Passwords must never be sent to the client, all login verification must be handled exclusively on the backend.

- IsAdmin must be stored in a server-controlled, encrypted session variable.

- A great security practice is to hash passwords before storing them in the database.

congratulations to your son on his first website !