XmlHttpRequest, ASP.NET Web Service, and Security

[Cyphos]

Hi Guys,

I have been really trying to get my mind around this AJAX, and remote
scripting concept. Good stuff, though I have a security concern.

I have an ASP.NET Web Service, which a couple methods. I'm calling the
methods from JavaScript using the XmlHttpRequest object - works
beautifully! However, I don't want any other applications to be able to
call this web service, unless they are authenticated to do so.

How do I implement this? I know that I can setup authentication in the
web.config file of the web service, but that would just mean sending
the username and password from my JavaScript, which is available for
anyone to see.

Any ideas? Thanks.

 

[Larry]

We are doing exactly this type of thing. Our web services are part of
our web project. They web service methods are marked with the
attribute [EnableSession(true)], which allows them to be part of the
same session as the rest of the web app.

When the web service gets hit with a request, we look up in session a
User object that gets created when the user is originally
authenticated. If it is not present, this means the user has not been
authenticated or the session has timed out. This assumes the rest of
your web app has a strong authentication infrastructure.

Please let me know if this makes sense, and any reason why it may not
be secure enough for you (we are exploring this as well).