0

I have written a webservice that basically inserts data into the central database and is expected to be consumed by multiple clients from multiple systems.

It works but the problem is that it can be accessed by anyone hence making it vulnerable to be used by anybody i.e. anybody can spam by entering data or anything.

One way is to check for the Session variable but how would I know the name of the session variable of the client consuming the system or may be he's not authenticating that way?

So what should I do to make it secure?

        [WebMethod(EnableSession= true)]
        public int InsertEngineeringData(string FunctionalLocation, string EqptType, string WINFileNo, string ComponentTagNo)
        {
            try
            {
                if (Session["User"] != null) 
                {

                }

                int EngineeringDataID = 0;

                EngineeringDataDAL EngineeringDataDAL = new Vail_PlantWebApi.EngineeringDataDAL();

                EngineeringDataID = EngineeringDataDAL.InsertEngineeringData(FunctionalLocation, EqptType, WINFileNo, ComponentTagNo);


                return EngineeringDataID;
            }
            catch (Exception ex)
            {

                throw ex;
            }
        }
Dale K
  • 25,246
  • 15
  • 42
  • 71
CodingManiac
  • 123
  • 1
  • 1
  • 9
  • Possible duplicate of [Is there a way to restrict access to an ASMX Webservice, i.e. the asmx page and its WSDL?](https://stackoverflow.com/questions/1400198/is-there-a-way-to-restrict-access-to-an-asmx-webservice-i-e-the-asmx-page-and) – Crowcoder Apr 23 '19 at 12:16

1 Answers1

0

If it is an asmx webservice, then use the link Crocoder posted or another quick way if it works is you can try the [Authorize] attribute although I'm not sure if that will work with an inline webmethod you're using, I've only seen it used in WebAPI. Authorize attribute in ASP.NET MVC

A more robust way that would definitely work is you add a column to the Users table called 'CurrentSessionID' and another one that says 'LastLoginDateStamp' For each login request if you have a valid user you update their session there and a datestamp. Then when the user hits the api, you compare the session and make sure it hasn't exceeded what you decide is a valid threshold for the last login, maybe 24 hours for example.

There would be a lot more work to do after that, but that's the basic idea.

Michael Adamission
  • 480
  • 3
  • 9