4

I'm a little bit confused about which method to use :
1- using Jquery to call HttpHandler page that implement an order .
2- using ICALLBACKEventHandler - read more .
Can you give me some advise about which one is more efficient to use.
Thanks

Improve this question

1 Answer 1

Reset to default
7

Basic reading

I suggest you this links to help you understand better the options and choose what you want:

My choice

I prefer to use jQuery.ajax() and also jQuery Templates Plugin when needed (loading tabular data from AJAX calls). A lightweight approach and with much more control to the developer. I don't like how Microsoft likes generating stupid codes when we use their handlers.

Security holes

But it's okay, you could has some security issues as you pointed on comments.

Your note about the ease manipulation of the Referer was interesting, but this vulnerability isn't jQuery exclusive. The problem is that the concept of AJAX itself already carries several security holes, which are known problems discussed over the years.

It's important to observe that using ICallbackEventHandler isn't a solution, since it's only yet another way to generate AJAX requests without you having to type it. But if the asynchronous request exists, it always can be intercepted in some way, like a $.ajax() could be.

Finally, you already gave an "almost" answer: it's better to work passing security tokens as a parameter. If you works with MasterPage, the token generation in a HiddenField will be abstracted to a single code. And you can encapsulate with a JavaScript function responsible for making AJAX calls with this token as parameter. Everything is just a matter of software architecture.

I called it an "almost" answer because nothing is fully secure and security tokens can also be hacked. Yes, it's much more hard and rare, but 99% is never 100%.

Resuming

Your second option with ICallbackEventHandler could have many security issues as well as your first option with $.ajax(), since a handler will generate some code similar to any code that you would type. In the end, your choice must be a matter of taste. But remember to read and take the required approachs about security on both cases.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

+1 An epic comment: "I don't like how Microsoft likes generating stupid codes when we use their handlers".
@ErickPetru - nice but when I'me using .ajax() to to add a comment for example, I should call a page e.g aaaa.ashx, this approach may cause some security issues since everyone can send a request for this page , unless I use a token with a session param which it is something I realy don't like to do.
I think it's a security problem on some methods that you really cannot accepted direct request (i.e. users authentication). But you can too detect the HttpRequest.Referer to detect that your domain is the requesting guy.
@ErickPetru - HttpRequest.Referer can be easly forged and users authentication is not a solution because the the attacker could be the user himself .
@Israa, thanks by this interesting discussion about security. I read something more to complete my answer regarding this points too. I hope it can help you think a little more about the both approachs.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.