How can I ensure that information isn't returned from a webmethod or mvc action by just anyone calling it from Jquery/Ajax call/HTTP post get (you get the idea).
Previously I would have used session variables or the view state to do this on every call, is this still possible. Can anyone point me to any good demos around making these calls secure, I've seen a few but they are easy to spoof or work around.
Thanks!
You can use the AuthorizeAttribute as an action filter to filter access to your controllers. You can just add this attribute to the controllers you want to limit the access to. I think the msdn has a good example for this:
http://msdn.microsoft.com/en-us/library/dd381413(v=vs.90).aspx
You can also use Session in this case.
1. create a ActionFilterAttribute class named, e.g., LoginFilterAttribute.
public sealed class LoginFilterAttribute:ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//check if the user is logged in
if (Session["UserSessionKey"]==null)
//redirect to login page or do nothing
else
//return data or do something else
}
}
2. in your action, put this attribute before the action method
[LoginFilter]
public ActionResult ActionNeedLogin()
{
return View();
}
or, register the attribute in global.asax to keep all action from anonymouse access.
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new MyHandleErrorAttribute());
filters.Add(new LoginFilterAttribute());
}
