Security advice for web method invocation RRS feed

  • Question

  • User-225121172 posted

    So, I have a website (lets called it MySite). And we have implemented it primarily using .NET. Recently angular JS was introduced and we have created aspx pages that consumes the angular JS libraries.

    Recently there was a requirement wherein we had to develop a login module on a virtual directory (lets call this MyVirtualDirectory) within the web site. Please note that the website already uses a login method (which is handled via button click event handler in .NET). The idea was, upon entering the username and password on the MyVirtualDirectory login module, to call the existing authenticate login method (that is currently consumed by the website). So, for this, we wrote a web method and we are calling the login method from within this web method. And this web method is invoked from the angular code. Everything works as expected and the login web method returns a true or false

    Although functionally things work as expected, I am not too happy about the security aspects. One of the security constraints was, the web method that we wrote should be invoked only from within the web site. We thought about couple of options

    1. One was to have a cookie on the load of the virtual directory home page. And when the web method is invoked, check for this cookie. Obviously, this has its own set of issues because the cookie could be set by anyone

    2. The next was to have a session variable on the page load of the virtual directory home page. And check for this session variable when the web method is invoked. This was more secure than the first option, but still i felt it was slightly vulnerable

      Any other thoughts/ consideration - To summarize, my question is, how to securely invoke a web method and ensure that the call is made only from within the website?

      Thanks in advance

    Monday, January 25, 2016 8:27 AM


  • User614698185 posted

    Hi mzubair,

    how to securely invoke a web method and ensure that the call is made only from within the website?

    If you want to secure the web method, you should add authorization and authentication. When you authorize who can access, who have permission to access the web method.

    For example, to deny unauthenticated access to methods:

          <deny users="?" />

    For more information, please see: http://encosia.com/asp-net-page-methods-are-only-as-secure-as-you-make-them/

    Best Regards,

    Candice Zhou

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 26, 2016 5:44 AM