回发安全 [英] Postback Security

问题描述

我一直使用jQuery和*的.asmx Web服务还很少，我想是安全的意识这样做。

I've been working with jQuery and *.asmx web services lately, and I'm trying to be security-conscious in doing so.

我想，这将有可能提出一个AJAX请求 - 即使在注销时 - 以一种资源，应该只访问，而登录的

I figure it would be possible to submit an AJAX request -- even when logged-out -- to a resource that should only be accessible while logged-in.

所以，我包括为了执行某些服务器端操作之前验证用户的状态，特殊键和散列与这些AJAX请求。

Thus, I include special keys and hashes with each of these AJAX requests in order to validate the user's state before performing certain server-side actions.

然而

我一直以为回发是安全的在这方面。如果收到已被篡改的请求。NET将抛出一个错误。

I always assumed that Postbacks were safe in that regard. That .NET would throw an error if it received a request that had been tampered with.

那是一个安全的假设？或者我应该验证所有请求，无论他们是通过AJAX或者非Ajax HTTP POST接收到的？

Is that a safe assumption? Or should I validate ALL requests, whether they're received via AJAX or a non-AJAX HTTP POST?

我想无论在技术上HTTP职位，但AJAX的人们只要提交你明确地传递，而一个正常的ASP.NET一个包括所有的视图状态值。这是否正确？

I suppose both are technically HTTP POSTs, but the AJAX one only submits what you explicitly pass, whereas a normal ASP.NET one includes all viewstate values. Is that correct?

非常感谢，

迈克尔

推荐答案

您应该不相信任何东西来通过HTTP - 这是微不足道的制造GET或POST请求

You shouldn't trust anything that comes in over HTTP - it's trivial to manufacture a GET or POST request.

这篇关于回发安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！