Suppose I'm entertaining a business model that offers free access to my propritary data if they visit my website. These users will have advertising subsidize the cost.
Then, for the paid users I want to offer direct raw WCF access to my data as an incentive. I don't want this available to the freebie users, but at the same time the site is using AJAX to render the page content.
The Problem
As it is today, AJAX and raw WCF access appear identical on-the-wire. I need to identify what is the source of the traffic is (webpage, or not), and protect my implementation from abuse.
Possible Solution?
It may be possible to grab a page variable (within ASP.net/Javascript) and use this as a validation key that is required for non-paid users. I can include this key with every AJAX request. If this is the best solution, how should I send it from the server to the client?
Regarding Authentication
Not sure if this matters, but all users (paid and non-paid) will be authenticated. A cookie will be stored on the client and will likely be generated by an STS.