+1  Q: 

Postback Security

I've been working with jQuery and *.asmx web services lately, and I'm trying to be security-conscious in doing so.

I figure it would be possible to submit an AJAX request -- even when logged-out -- to a resource that should only be accessible while logged-in.

Thus, I include special keys and hashes with each of these AJAX requests in order to validate the user's state before performing certain server-side actions.


I always assumed that Postbacks were safe in that regard. That .NET would throw an error if it received a request that had been tampered with.

Is that a safe assumption? Or should I validate ALL requests, whether they're received via AJAX or a non-AJAX HTTP POST?

I suppose both are technically HTTP POSTs, but the AJAX one only submits what you explicitly pass, whereas a normal ASP.NET one includes all viewstate values. Is that correct?

Thanks very much,


+2  A: 

You shouldn't trust anything that comes in over HTTP - it's trivial to manufacture a GET or POST request.