0

Our system using HttpContext.Current.Session("Client") to store the current user info.

One property in the session is a roleID i.e. CType(HttpContext.Current.Session("Client"), Client).RoleId

By checking the value of RoleId, the system can identify whether the user can access a couple of pages.

I've validated it in the server-side. But for the easiest way to present the Notice Message I think is using JavaScript.

So is it possible to get the session value in JavaScript (even in a external JavaScript)? How about Cookie? What is the drawback for adding Cookies for an existing system?

And any other suggestions if you have.

Thx

Yes, I did the validation in server side. Later again, I'll add restrictions in DBs as well.

Result:

I used webMethod inside a web service, caz it is a Master Page.

Thanks for you answer.

but another issue raised:

Trigger/Prevent page event by using asynchronous webmethod return value in JavaScript

please give me some advise on that question as well, thx.

Community
  • 1
  • 1
Dan An
  • 424
  • 9
  • 27
  • I describe how to make server calls from javascript in asp.net as an answer here: http://stackoverflow.com/questions/6357085/calling-a-public-function-of-an-asp-net-ajax-server-control-from-client-side/6357188#6357188 – asawyer Feb 28 '12 at 13:29

3 Answers3

1

You could do it as a cookie, but it would slow down your round trip for every resource. Hence, I don't recommend this approach.

One option is to have a dynamic page that returns a javascript object in global with the appropriate variables printed out. You then could just include it as a standard script tag.

Another approach is to make an AJAX call.

Keep in mind, you should still always validate the base request and never trust the client.

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
0

Sending roles to the client and using JavaScript for business logic based upon these roles is a security risk. Users (hackers) know how to manipulate client-side code to gain access to things they're not supposed to.

I recommend sending down only the content the user has access to or use AJAX to retrieve the content dynamically from the client.

But to answer your question, no, you cannot retrieve session data directly from the client.

Chris Gessler
  • 22,727
  • 7
  • 57
  • 83
  • Thx for ur reply, for AJAX CALL, do u mean to WCF or ashx? – Dan An Feb 28 '12 at 13:48
  • @DanAn - Either one is fine. An ashx page can be very powerful and easy to implement. Just remember not to give the client anything they can manipulate to their advantage. – Chris Gessler Feb 28 '12 at 13:59
  • Do thx you @Chris Gessler, I know you reply a lot. But Daniel A. White does answer me about cookie and provide more solutions and clear. Thx a lot anyway, see whether you can help me with this http://stackoverflow.com/questions/9498576/trigger-prevent-page-event-by-using-asynchronous-webmethod-return-value-in-javas – Dan An Feb 29 '12 at 14:22
0

You can make ashx page or WCF service and call that with javascript. But don't return roleID and check that ID on client, instead just return true / false if user has access. Use jQuery ajax call to ashx or WCF service, you should find tons of examples on google

Antonio Bakula
  • 20,445
  • 6
  • 75
  • 102
  • Returning true|false if the user has access is the same as returning the roleID and checking it on the client. A hacker could easily bypass the service request and hard-code a return value of 'true'. – Chris Gessler Feb 28 '12 at 13:33
  • as I understud it's only for notification on client – Antonio Bakula Feb 28 '12 at 13:49
  • OK, so just return the notification for the current client. What if this were a banking app and the wrong notification was displayed because the hacker wanted a 5% APR instead of a 10% APR. Printed web pages could be used to try to get the lower ARP. – Chris Gessler Feb 28 '12 at 13:56
  • OK, but I don't see how this is different or better since hacker can change notification message also – Antonio Bakula Feb 28 '12 at 13:59
  • Change it to what?? If the 5% ARP message is never given to the client, it would be a guessing game as to what it should say. One wrong word and the bank would know it's not valid. – Chris Gessler Feb 28 '12 at 14:04