Security with ASP.NET Webservices using jQuery

Question

I have always used the Scriptmanager to handle all AJAX calls, but I am starting to expand and am playing around with using jQuery and JSON to consume an ASP.NET 3.5 Web service. I am using standard jQuery calls as you can see below, which is working wonderfully. I am concerned about security and how to ensure that I am not opening any doors by dropping the Scriptmanager. Any information is appreciated, what I have found on the net is pertaining more to implementation rather than security.

$.ajax({
    type: "POST",
    url: "Webservices/Service.asmx/HellowWorld",
    data: "{}",
    contentType: "application/json; charset=utf-8",
    dataType: "json",
    success: function(msg) {
        alert(msg.d);
    }
});

UPDATE: Bumping this in the hopes someone can provide some information.

I want to allow only authenticated users to access this service I am using ASP.NET membership services in MVC and want to ensure that my jQuery AJAX (JSON) calls are being performed by authenticated user. Any info is appreciated.

Answer 1

In terms of security, there is no intrinsic difference between using the ScriptManager to generate client proxies to call web services, or using jQuery directly. They both ultimately generate HTTP requests to the server with plain text payloads.

If you are concerned with message and/or transport security, you need to look at using SSL to encrypt the transport channel between the client and server.

Answer 2

What I was looking for on this question was how to handle security on a web service call. Answer, there is no way to automatically authenticate a remote user without passing some form of authentication data with is.

In this scenario I am passing a encrypted token containing the data I then use to authenticate the user. The token is given to them to pass.

If there is a better/more secure way to do so I would be open.