Recently, I have been working with jQuery and * .asmx web services, and I try to be sure of safety at the same time.
I believe it would be possible to send an AJAX request - even when logging out - to a resource that should only be available at login time.
Thus, I include special keys and hashes with each of these AJAX requests to check the status of the user before performing certain actions on the server side.
BUT
I always assumed Postbacks were safe in this regard. This .NET will throw an error if it receives a request that has been tampered with.
Is this a safe guess? Or should I check ALL requests, whether they are received through an AJAX or POST message other than AJAX?
I suppose both are technically HTTP POST, but AJAX alone only passes what you explicitly pass, whereas regular ASP.NET includes all viewstate values. It is right?
Many thanks,
Michael
source
share