Implementing server-side datatable - Security concerns

Zerk

Hello all,

Apologies if there are any errors or broken rules on this post with the forum rules, it's my first one!

I have inherited administration of a site (ASP.Net MVC4) which has an page used for administration that is currently using a datatable based on client-side processing.
This initially worked fine however there are a large amount of users in the database at this point and the page looping through each user to insert a row for each to populate the datatable is unbearably slow at this point.

The solution of implementing server side processing is the obvious solution, but this is where my concerns are raised.
An example such as the one below shows how I would expect to go around implementing it:
http://www.codeproject.com/Articles/155422/jQuery-DataTables-and-ASP-NET-MVC-Integration-Part

As the json results appear to come from an actionresult which is a get rather than a post, the [ValidateAntiForgeryToken] decoration cannot be used on it. While i could authorise roles, it would still potentially be vulnerable to cross-site request forgery.

There is a miniscule chance of the above scenario occurring, but since the potential leak would be a list of user details, I'd rather err on the side of caution and verify whether this is a valid concern.

Could anyone give any input on either whether this fear is incorrect, or if not then a best way to implement this securely?

tangerine

You can use POST instead of GET, if that helps.

https://datatables.net/examples/server_side/post.html

allan

POST is no more secure than GET, so for security that won't help, but if it allows ValidateAntiForgeryToken to be used, it might be useful.

The key thing will be to send your CSRF token (which I presume is what ValidateAntiForgeryToken relates to), which you can do using ajax.data - assuming your Javascript has access to the token?

Allan