The using of ajax in asp.net

Question

I'm a little bit confused about which method to use :
1- using Jquery to call HttpHandler page that implement an order .
2- using ICALLBACKEventHandler - read more .
Can you give me some advise about which one is more efficient to use.
Thanks

Answer 1

Basic reading

I suggest you this links to help you understand better the options and choose what you want:

• Why ASP.NET Ajax UpdatePanels are dangerous?

• Using jQuery to directly call Ajax Page Methods.

• Simplify calling ASP.NET Ajax Services from jQuery.

My choice

I prefer to use jQuery.ajax() and also jQuery Templates Plugin when needed (loading tabular data from AJAX calls). A lightweight approach and with much more control to the developer. I don't like how Microsoft likes generating stupid codes when we use their handlers.

Security holes

But it's okay, you could has some security issues as you pointed on comments.

Your note about the ease manipulation of the Referer was interesting, but this vulnerability isn't jQuery exclusive. The problem is that the concept of AJAX itself already carries several security holes, which are known problems discussed over the years.

It's important to observe that using ICallbackEventHandler isn't a solution, since it's only yet another way to generate AJAX requests without you having to type it. But if the asynchronous request exists, it always can be intercepted in some way, like a $.ajax() could be.

Finally, you already gave an "almost" answer: it's better to work passing security tokens as a parameter. If you works with MasterPage, the token generation in a HiddenField will be abstracted to a single code. And you can encapsulate with a JavaScript function responsible for making AJAX calls with this token as parameter. Everything is just a matter of software architecture.

I called it an "almost" answer because nothing is fully secure and security tokens can also be hacked. Yes, it's much more hard and rare, but 99% is never 100%.

Resuming

Your second option with ICallbackEventHandler could have many security issues as well as your first option with $.ajax(), since a handler will generate some code similar to any code that you would type. In the end, your choice must be a matter of taste. But remember to read and take the required approachs about security on both cases.