I'm working on an asp.net project based on asp.net AJAX but we get more and more client side calls using jquery ($.ajax) and get json or html return. I'm wondering what is the best way to handle these calls on the server side, in the same webform, or use a specific http handler, or even web service? can somebody share the experience or best practice?
thanks.
I'd recommend you an http handler. Normally it's the best and simplest option.
There is no problem on managing the ajax call using a page method (marked as WebMethod and static), the only drawback is that can be only be called from that page. The http handler is independent and can be called from any page.
The web service is normally suitable for calling third party API, I don't see that you need to create one for ajax calls on your own web site.
Related
My bot is running in an iframe, but I want to hide the secret.
Is it possible to use the iframe and hide the secret from the users?
See option one here but instead of doing the request to get the token on the client side you could do it on the server side when the page loads then pass it through to the client side. That way you only expose the temporary token to anyone inspecting your iframe code.
Using ASP.NET this could be achieved inside the Page_Load event writing to a hidden field if you’re using webforms, Index/Get method of the controller writing to a bound property and hidden field if you’re using mvc, or in the OnGet method and set on the model of a Razor page.
There are various ways you could do the HTTP request - using the built in WebRequest or HttpClient classes, or using a third party library such as RestSharp.
I have an existing ASP.NET website with a login. The login procedure is not trivial, because of routing to different front ends on different servers based on which user logs in. There is also some communication/login going on to a classic ASP website.
Now I want to start to decouple the first step of the login procedure using a tiny Angular2 app. Basically this should just collect the user and password and leave the login validation etc. to the existing ASP.NET logic. So from my naive point of view, this is the same as filling out user and password on my existing ASP.NET page and clicking the submit button.
I know that I can make http requests using angular2 and have successfully done so calling SOAP based web services which are part of the login validation process.
I have the idea that I can somehow fake the http request which is executed when submitting the login form in the existing ASP.NET page. But as far as I understand it right now, even if I could make an http request to my login.aspx site the response I would get would sit in my Angular2 obervable as text whereas I would like to leave my Angular2 app and "simply use" that response.
I am not even sure what questions to ask ... but how do I do that?
What have I not considered?
Some options I have:
It would be possible to change parts of the existing ASP.NET page(s).
I think it would be OK to open a new browser tab in which the existing ASP.NET app would be displayed.
We need to use static method's to make Ajax calls.
I didn't really understand the whole picture, but I know that you can load an ASP.NET partial view from an Angular2, or even make an http call to an ASP.NET Controller to get your data.
So I don't really understand your problem there, since the question is not clear, but you could make an http call to an ASP.NET Controller that would manage calls to your different WebServices.
Some clarifications would be helpful for a more detailled answer.
I have a system which uses Jquery AJAX calls to an .ASMX web service for INTERNAL and STATELESS use.
For example, after pressing a button, a Jquery call is launched to insert a new user).
Now, the problem is, that the Jquery AJAX call is dynamically inserted by the user. The user can decide what code of Javascript to put, so he may call a AddUser() function in the web service, or do something else. Then, that piece of code is inserted dynamically and the button will add all the Javascript that the user wrote into the HTML content.
In the case the user decides to call the Jquery and specifically adds a code to call the AddUser() function in the WS, how can I do it securely? How can I assure that this AJAX request is coming from the same domain?
I understand that every HTTP Request header can be manipulated, so how can I assure that the AJAX call is coming from the same site?
I remind you, the purpose of that web service is for internal uses of the system - so I don't want that an external user will read the JS code and copy it an add users as much as he wants!
I don't want to use tokens or identification. It is a stateless request and I just want to add a user but to have control of who is making the call.
I will be happy to get any suggestion. Thank you in advance!
In my opinion you can't. You either add some kind of authentication (if you have one on the site you may use the same authentication) or render a token on the page which is sent with the AJAX request. Of course in both cases you add some form of state but in my opinion the requirement to originate the request from the same site is a requirement to track state.
I have one simple question (doubt).
Ajax is a server side technology so it hits the server asynchronously but when we use ajax toolkit's text-box validations then even if internet is disconnected , text-box gets validated how?? is it client side?
Actually, AjaxToolkit generates javascript codes in pages. all validations are done in Client side.
The AJAXToolkit is basically a helper that implements some client-side functionality for you. The user story in WebForms is all about rapid application development. The entire WebForms infrastructure is in place in order to wrap server-side + client-side functionality in a way that allows you to create web applications like you would WinForms applications. WebForms was developed by Microsoft to allow WinForms developers to use the same techniques when developing for the web.
That being said, all asp.net validators are both client-side and server-side. Doing client-side validation without server-side validation is pointless. Client-side validation (AJAX or not) is only used to give users a more responsive UI and maybe save some server round-trips for input that can be easily detected as invalid. The true validation is done server-side when the form is POSTed. If there were only client-side validation in place, a user with malicious intent could just circumvent the validation by posting the form from a tool like Fiddler. Also, what about clients which do not support JavaScript at all? (Rare as they might be these days...)
I'm using jquery ajax to fetch data from an asp.net webservice. I'm wondering how I can secure it and have it work with jquery ajax. The service is part of my web application and to access it you have to be logged in to the application. However I'd like to further secure it. For example a consultant looking up all their customers in an autocomplete box is good, but they can instead send in some other consultant's id. What's the best way to secure this?
I've looked at this article here http://msdn.microsoft.com/en-us/library/w67h0dw7%28VS.71,classic%29.aspx . However, I don't know how to make this work with jquery ajax. Any help would be appreciated.
As far as I understand you want to make sure that you know the identity of the person using your service. If the web service is part of your application this should not be a problem by using cookies (assuming the web service is on the same domain as the site). See this e-book for some ideas.
Otherwise you could hand out temporary identifiers to the logged in members of your site which would be used in the webservice calls - this way even if the identifier is stolen, it can only be used for a limited time.
I made it more secure by using encryption. I encrypt the consultant's id when passing it via ajax, and decrypt it on the server side. Obviously I do the encryption on server side and pass it to client when rendering the page. And then ajax makes the call using that encrypted id.