AJAX Security - Client Side Validation Is For Usability Only, Not For Security
“As to methods there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.”
AJAX is another technique among myriads of others to present information and to send it back to server.
In Driver's Guide vs. Owner's Manual JD Meier provides great run down about the difference between "How things work" vs. "How to get most out of it".
Here is an example of how to apply it in practice:
In ASP.NET AJAX Role Application Service – Visual Studio 2008 (Orcas) David walks through new feature introduced in Orcas - AJAX Roles service. It provides also some sample. This is Owner's Manual explaining how things work:
function onLoadRolesCompleted(result, userContext, methodName){ if (Sys.Services.RoleService.isUserInRole("Administrator")){ $get("adminView").style.display = "block"; } }
In ASP.NET AJAX Roles and Security Michael comments on the above features pointing out the importance of server side role membership validation. This is Driver's Guide for safe and secure driving:
"You have to test ALWAYS on the server-side code if the user has the needed user rights to execute your code."
Some server side techniques to test server side code:
Here is another example for not following core security principle of server side validation: