Session security and ASP.NET Ajax

Question

I'm starting to use ASP.NET Ajax. Following Eric Pascarello's recommendations, I always operate under the assumption that anything can come from the client side (including fake requests).

One matter which I have a hard time accounting for is user authentication. Since we use .NET's built-in session state management mechanism, I'm a bit ignorant of what security risks exist with the webservices.

What do I need to do to be certain that the user is who he says he is (to a reasonable enough probability)? Is using

[WebMethod(EnableSession = true)]

enough?

Thanks

Answer 1

That's how you make sure the Session object is available in your method. If you want to make sure they are authenticated then configure it in your web.config

<location path="MyService.asmx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>