Block cross domain calls to asp.net .asmx web service

Question

I\'ve built an application that uses jQuery and JSON to consume an ASP.NET .asmx web service to perform crud operations. The application and .asmx are on the same domain. I dont

Answer 1

There are two scenarios you need to secure with web services:

1. Is the user authenticated?
2. Is the action coming from my page?

The authentication piece is already taken care of if you're using Forms Authentication. If your web service sits in a Forms Authentication-protected area of the site, nobody will be able to access your web services unless they're logged in.

The second scenario is a slightly trickier story. The attack is known as CSRF or XSRF (Cross Site Request Forgery). This means that a malicious website performs actions on behalf of your user while they're still logged in to your site. Here's a great writeup on XSRF.

Jeff Atwood sort of sums it all up in the link above, but here is XSRF protection in four steps:

1. Write a GUID to your user's cookie.
2. Before your AJAX call, read this value out of the cookie and add it to the web service POST.
3. On the server side, compare the FORM value with the cookie value.
4. Because sites cannot read cookies from another domain, you're safe.