I've been working with jQuery and *.asmx web services lately, and I'm trying to be security-conscious in doing so.
I figure it would be possible to submit an AJAX request -- even when logged-out -- to a resource that should only be accessible while logged-in.
Thus, I include special keys and hashes with each of these AJAX requests in order to validate the user's state before performing certain server-side actions.
HOWEVER
I always assumed that Postbacks were safe in that regard. That .NET would throw an error if it received a request that had been tampered with.
Is that a safe assumption? Or should I validate ALL requests, whether they're received via AJAX or a non-AJAX HTTP POST?
I suppose both are technically HTTP POSTs, but the AJAX one only submits what you explicitly pass, whereas a normal ASP.NET one includes all viewstate values. Is that correct?
Thanks very much,
Michael