tags:

views:

53

answers:

1
Q: 

How secure is my ASP.NET code?

Hello all,

I've developing an ASP.NET application that interfaces with Google Maps and retrieves marker information from a database. The marker information is split into tables in the database, where the name of the table reflects a company (e.g. CompanyA_MarkerData, CompanyB_MarkerData etc). In order to periodically update the map with new marker data, I use setTimeout in JavaScript to regularly call my 'UpdateMarkers' JavaScript function. 'UpdateMarkers' makes a call to a web service which performs the database query and returns a list of markers back to the JavaScript, which in turn updates the map.

The main issue I have with this method is that my web service requires that I pass it the name of the company so that it knows which table in the database to access. As you can imagine , this poses a security risk as anyone can pass a different company name to the web service and be able to retrieve the data from other companies, as well as their own.

In order to avoid this problem, I am restructuring my program as follows: When the system administrator creates users for my application, they can also assign a company ID to this user. The company ID is stored using the Profile object in ASP.NET. I am moving the web service code into a class with shared functions so that they can be called only within my pages (but not by anyone, like with web services). The functions will still require a company name passed to be passed to them. However, rather than the JavaScript making direct calls to these shared functions, the JavaScript will call a set of page methods (which as I understand it, are not public like web services). These page methods will then use the Profile object to retrieve the company name attached to the user currently logged in and then make a call to my shared database functions and return the info back to the JavaScript.

I think that this second method is more secure than the first, because I don't allow the client to pass different options to my code and retrieve unauthorized data. The server side code works out the parameters that need to be sent. However, I am wondering if there is a better way of doing this that I am missing out?

Thanks

--Amr

+1  A: 

All you need is a method of checking server-side whether the user is allowed to access the data for that company.

I assume you're using AJAX, since you say you're retrieving information from your own database with Javascript. So whichever server-side script/program you call, put the user authentication code in there.

DisgruntledGoat  2010-03-17 16:56:27
Thanks - I wasn't aware that I could access the Membership object from a web service, but it turns out that I can. This is the way to go.
Amr Bekhit  2010-03-18 14:40:49

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?