Reputation: 8162
Session security and ASP.NET Ajax
I'm starting to use ASP.NET Ajax. Following Eric Pascarello's recommendations, I always operate under the assumption that anything can come from the client side (including fake requests).
One matter which I have a hard time accounting for is user authentication. Since we use .NET's built-in session state management mechanism, I'm a bit ignorant of what security risks exist with the webservices.
What do I need to do to be certain that the user is who he says he is (to a reasonable enough probability)? Is using
[WebMethod(EnableSession = true)]
enough?
Thanks
Upvotes: 2
Views: 317
Answers (1)
Reputation: 7713
That's how you make sure the Session object is available in your method. If you want to make sure they are authenticated then configure it in your web.config
<location path="MyService.asmx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Upvotes: 2
Related Questions
- Securing an ajax request
- session in asp.net
- Securing ajax calls in a ASP.NET MVC application
- Jquery Ajax security concerns
- asp.net forms authentication Global.asax and ajax calls
- How can I secure my ASP.NET AJAX application?
- Access to session when making ajax call to Asp.net MVC action
- How to secure AJAX request in ASP.NET?
- Securing ajax calls
- AJAX and asp.net security question