PageMethods security
Posted
by TenaciousImpy
on Stack Overflow
See other posts from Stack Overflow
or by TenaciousImpy
Published on 2010-03-21T01:12:49Z
Indexed on
2010/03/21
1:21 UTC
Read the original article
Hit count: 520
Hi,
I'm trying to 'AJAX-ify' my site in order to improve the UI experience. In terms of performance, I'm also trying to get rid of the UpdatePanel. I've come across a great article over at Encosia showing a way of posting using PageMethods. My question is, how secure are page methods in a production environment? Being public, can anyone create a JSON script to POST directly to the server, or are there cross-domain checks taking place? My PageMethods would also write the data into the database (after filtering).
I'm using Forms Authentication in my pages and, on page load, it redirects unauthenticated users to the login page. Would the Page Methods on this page also need to check authentication if the user POSTs directly to the method, or is that authentication inherited for the entire page? (Essentially, does the entire page cycle occur even if a user has managed to post only to the PageMethod)?
Thanks
© Stack Overflow or respective owner