In a Website environment how do you make an ajax post to Handler.ashx secure and how do you stop people calling that handler.ashx directly and putting rubbish in and possibly breaking things server side?
With firefox and firebug you can pretty much hack the post quickly and easily.
I was thinking of these ideas.
- In the handler check if you are logged in.
- List item on the load of the site create a unique ID is saved as a cookie and
when the handler is called then that ID must exist in the Ajax and
the handler - List item the ajax call must come from a certain page
Do you have any other ideas?
Thanks
Short answer
Use authentication (Windows, Forms, etc) and validate your input.
Slightly longer answer
If your site is configured with an authentication provider, your handler will follow the same rules.
You should always validate any user input or web service input. Don’t assume that your client is giving you pristine input. As you have mentioned, anyone with basic web development skills can spoof a POST. Keep that in mind when validating.