PageMethods security

Posted by TenaciousImpy on Stack Overflow See other posts from Stack Overflow or by TenaciousImpy
Published on 2010-03-21T01:12:49Z Indexed on 2010/03/21 1:21 UTC
Read the original article Hit count: 520

Filed under:
|
|
|
|

Hi,

I'm trying to 'AJAX-ify' my site in order to improve the UI experience. In terms of performance, I'm also trying to get rid of the UpdatePanel. I've come across a great article over at Encosia showing a way of posting using PageMethods. My question is, how secure are page methods in a production environment? Being public, can anyone create a JSON script to POST directly to the server, or are there cross-domain checks taking place? My PageMethods would also write the data into the database (after filtering).

I'm using Forms Authentication in my pages and, on page load, it redirects unauthenticated users to the login page. Would the Page Methods on this page also need to check authentication if the user POSTs directly to the method, or is that authentication inherited for the entire page? (Essentially, does the entire page cycle occur even if a user has managed to post only to the PageMethod)?

Thanks

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about pagemethods