tags:

views:

78

answers:

2
Q: 

How do I restrict the WCF service called by an ASP.NET AJAX page to only allow calls for that page?

I have an AjaxControlToolkit DynamicPopulate control that is updated by calls to a WCF service. I know I can check the HttpContext in the service request to see if a user of the page (and thus, the control) is authenticated. However, I don't want anyone clever to be able to call the service directly, even if they're logged in. I want access to the service to be allowed ONLY to requests that are made from the page. Mainly, I don't want anyone to be able to programatically make a large number of calls and then reverse-engineer the algorithm that sits behind the service.

Any clever ideas on how this can be done? Maybe I'm over-thinking this?

Thanks in advance.

A: 

The simple answer is you can't. The complicated answer is you can fudge it with a lot of work, you could for example

  1. Rate limit based on the IP of the caller.
  2. Drop a cookie based upon the session and rate limit on that.
  3. Drop a cookie based upon the page when the page loads and rate limit upon that.

However none is foolproof, and all can go wrong with legitimate requests.

blowdart  2010-03-14 21:30:25
Makes sense. I'm thinking about implementing that functionality anyway in order to combat user account sharing. Good to know. Thanks.
NovaJoe  2010-03-15 06:06:13
A: 

If you really want to restrict this to just this one server making the request, you could add a certificate to that server and check for that certificate. However, you probably can't really limit access to just a single page calling your service.

You could add a lot of additional elements, like headers etc. - but none will really be totally sound - if someone is determined enough, they'll be able to figure out what you're doing, and replicate that.

So really: why do you need to limit this access this badly?

marc_s  2010-03-14 21:30:45
The service provides valuable information to a high-value market. 10 million strong consumer base with $8 billion in annual revenue. It seems important to lock it down as tightly as possible to thwart competitors.
NovaJoe  2010-03-15 06:06:30
@NovaJoe: ok, makes sense - so can you put a specific certificate on the web server where the requests come from? That would probably be the safest first step, in my opinion.
marc_s  2010-03-15 06:30:11
@marc_s: Certificates is a good suggestion. Sounds similar to the site-to-site VPNs that I install. One server, one client. Set it and forget it.
NovaJoe  2010-03-16 19:58:00

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps