Nature of the UpdatePanel

Question

I was confused by an answer on another post I made here: https://sharepoint.stackexchange.com/questions/40057/is-an-updatepanel-a-bad-decision/40412#40412

My understanding is that an UpdatePanel handling a Button_Click is not doing anything different from a security standpoint than a normal postback. The UpdatePanel IS still doing a full postback, it's just happening asynchronously inside the confines of the UpdatePanel.

Take this scenario:

I am handling an upvote click event. I can either submit a new vote with AJAX, or with a Button_Click in an UpdatePanel. (Taking for granted that voting should be asynchronous. Having a postback for each vote would be terrible IMO)

In order to avoid vote cheating, I'm tying a vote to both an item and a user, and so in submitting a vote I need to include these two things.

With AJAX, it seems as though both of these fields can easily be hacked, to the point that someone could get an array of user names and run a loop submitting hundreds of votes in a short time period.

With an UpdatePanel, I can at the very least pull the identity of the current user server side, and not expose any item creation methods to web services.

Is this not fundamentally more secure? Do I misunderstand how an UpdatePanel works?

Answer 1

An UpdatePanel is indeed the same as a postback from the security standpoint. It's just a matter of how the output is partially rendered.

Now, regarding your scenario:

Doing a purely ajax approach wouldn't jeopardize security in any way. Just because it's javascript it doesn't mean that you are forced to open up to cheating, by actually receiving the user as a parameter in your request. That's what you have authentication, cookies, etc for. To identify the user from a request coming in, using Principals and Identities.

To make it short, you can have a safe implementation both with an UpdatePanel and with AJAX.

NOTE: AJAX doesn't force you to expose webservices outside of your security implementation, the endpoint on the server could indeed just be an MVC Controller, an HttpHandler, etc.