CODEWITHSUNDEEP
c#asp.netweb-serviceswebmethod
David John
David John

Reputation: 493

How to make sure security for Webservice?

I have a web application (in VS2008 C# ASP.NET 3.5 Framework).In my login page there is a function CheckLogin() which performs the login function. I have used a remote webservice. objWeb is the object of that webservice. WebService_CheckLogin is a webmethod in my remote webservice. The database connection string is written in a class file of my websrvice.

public DataSet CheckLogin()
    {
        string username = Convert.ToString(txtUname.Text);
        string password = Convert.ToString(txtPassword.Text);
        return objWEB.WebService_CheckLogin(username,password);

    }

Webmethod in my webservice

[WebMethod]
    public DataSet WebService_CheckLogin(string uname,string pswd)
        {
            c.connect();
            DataSet ds = new DataSet();
            SqlCommand cmd = new SqlCommand("sp_verifyuser", c.con);
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.Parameters.AddWithValue("@Username", uname);
            cmd.Parameters.AddWithValue("@Password", pswd);
            c.getdataset(cmd, ref ds);
            return ds;
        }

My connection class in webservice

public void connect()
    {
        if (con.State == ConnectionState.Open)
        {
            con.Close();

        }
        con.ConnectionString="Data Source=xxxxxxx;Initial Catalog=xx;User ID=xx;Password=xxxx";

        con.Open();
    }

My question is that 'Is anything wrong as per the security'? I mean 'Can anybody acceess my webservice with its url'? I have many other webmethods in which I passed string as parameter like 

string profilePassword = objWEB.Verify_ProilePassword("exec sp_verify_profilepwd '" + txt_profil_pwd.Text + "','"+cid+"'");

Regards, David

Upvotes: 1

Views: 995

Answers (1)

Greg
Greg

Reputation: 8784

It all depends on how you secure your WebMethods. Your code above may check if a user has a valid username/password combination but it's hard to tell what you're doing with it from there.

After you've authenticated a user and EnableSession for a WebMethod you could do something like this:

[WebMethod(EnableSession = true)]
public static string HelloWorld(){
if (User.Identity.IsAuthenticated)
{
    return "Hello " + HttpContext.Current.Request.User.Identity.Name;
}
else
{
    return "I don't talk to strangers";
}
}

Feel free to post any questions.

Also - If you're not careful with your sp_verifyuser Stored Procedure a call like this could lead to disaster:

WebService_CheckLogin("*","*")

Upvotes: 2

Related Questions