0

Our system using HttpContext.Current.Session("Client") to store the current user info.

One property in the session is a roleID i.e. CType(HttpContext.Current.Session("Client"), Client).RoleId

By checking the value of RoleId, the system can identify whether the user can access a couple of pages.

I've validated it in the server-side. But for the easiest way to present the Notice Message I think is using JavaScript.

So is it possible to get the session value in JavaScript (even in a external JavaScript)? How about Cookie? What is the drawback for adding Cookies for an existing system?

And any other suggestions if you have.

Thx

Yes, I did the validation in server side. Later again, I'll add restrictions in DBs as well.

Result:

I used webMethod inside a web service, caz it is a Master Page.

Thanks for you answer.

but another issue raised:

Trigger/Prevent page event by using asynchronous webmethod return value in JavaScript

please give me some advise on that question as well, thx.

Improve this question
1

3 Answers 3

Reset to default
1

You could do it as a cookie, but it would slow down your round trip for every resource. Hence, I don't recommend this approach.

One option is to have a dynamic page that returns a javascript object in global with the appropriate variables printed out. You then could just include it as a standard script tag.

Another approach is to make an AJAX call.

Keep in mind, you should still always validate the base request and never trust the client.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thx for ur reply, for AJAX CALL, do u mean to WCF or ashx?
It could be web method. WCF might be overkill.
jQuery + webmethod = success!
0

Sending roles to the client and using JavaScript for business logic based upon these roles is a security risk. Users (hackers) know how to manipulate client-side code to gain access to things they're not supposed to.

I recommend sending down only the content the user has access to or use AJAX to retrieve the content dynamically from the client.

But to answer your question, no, you cannot retrieve session data directly from the client.

Improve this answer

3 Comments

Thx for ur reply, for AJAX CALL, do u mean to WCF or ashx?
@DanAn - Either one is fine. An ashx page can be very powerful and easy to implement. Just remember not to give the client anything they can manipulate to their advantage.
Do thx you @Chris Gessler, I know you reply a lot. But Daniel A. White does answer me about cookie and provide more solutions and clear. Thx a lot anyway, see whether you can help me with this stackoverflow.com/questions/9498576/…
0

You can make ashx page or WCF service and call that with javascript. But don't return roleID and check that ID on client, instead just return true / false if user has access. Use jQuery ajax call to ashx or WCF service, you should find tons of examples on google

Improve this answer

5 Comments

Returning true|false if the user has access is the same as returning the roleID and checking it on the client. A hacker could easily bypass the service request and hard-code a return value of 'true'.
as I understud it's only for notification on client
OK, so just return the notification for the current client. What if this were a banking app and the wrong notification was displayed because the hacker wanted a 5% APR instead of a 10% APR. Printed web pages could be used to try to get the lower ARP.
OK, but I don't see how this is different or better since hacker can change notification message also
Change it to what?? If the 5% ARP message is never given to the client, it would be a guessing game as to what it should say. One wrong word and the bank would know it's not valid.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.