1

I have been playing with JQuery ajax and an ASP.Net webservice. I would like to use this combination to do more than look up information. I would like to add lines to orders and and do other things that will open up holes for security if there is no way to check if the user is logged in or not.
Javascript user checking before running the ajax will not shield from attacks by a semi aware hacker. Am I bound to use ASP.net controls to do all significant data entry?

Improve this question
5
  • Well, in asp.net using postbacks are best way to transfer data to the server, but if you have to use ajax, you can specify type='post' for your ajax call. This eliminates the visiblity of transferred data and hence safer. Commented Jul 29, 2013 at 18:44
  • @user1 couldn't the user look at the javacript and figure out what to do? Commented Jul 29, 2013 at 18:46
  • @HelloW That's why you have to validate on the server that the current user has permission to do what they are trying to do. But you should be doing that with non-ajax requests as well. Commented Jul 29, 2013 at 18:49
  • Yes, there is always a risk when processing sensitive data at front end. Don't know what you are trying to accomplish, but safe way is to use postbacks. By the way, why not check if the user is logged in or not on pageload and render the controls according to it. Commented Jul 29, 2013 at 18:59
  • I am not trying to process from the front end and your comments are well taken. I am checking to make sure the user is logged in before rendering the controls. I am now checking to make sure the user is logged in before doing anything server side. I didn't know if the cookies came along with an ajax call from jquery. Yes I am a noob :) thanks to all for the prompt help. Commented Jul 29, 2013 at 19:06

2 Answers 2

Reset to default
3

Ajax requests send all the same headers (including authentication cookies) as normal requests. Just validate the user against the attempted action and specific data, and you'll be fine.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You'll need to verify (on the server side) that the current user is logged in. This is easy with MVC by just putting an [Authorize] attribute on the Controller or Method.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.