I'm using ASP.NET and the AJAX toolkit and was wondering if there are any security aspects I should be concerned about. I've never used the AJAX toolkit before, and usually from standard controls, there are postbacks which I use to validate input. I assume this is the same with the AJAX controls, but are there any extra catches that might be missed?

Also, I've set some security aspects in my web.config files. As I understand it, anything set in parent folders, cascades down to subfolders. However, my subfolders should only be accessed by those authorized to, so I've created a new web config file per sub folder. These config files only contain the authorization settings. Will all the other settings from the parent config file (besides the authorization ones) still cascade down? Or do I have to copy and paste the whole parent file into the sub folder and change the authorization code in that?

Thanks for any help

The control toolkit shouldn't impact your authorization settings in any way.

The control toolkit doesn't really have any web.config settings, at least none that are required. A lot of people do put in an entry under pages/controls to register the tag prefix, but you can use register directives at the individual pages instead if you prefer.

BTW, you should consider using the location element in web.config rather than having a per-folder web.config. This is usually a little easier to maintain and allows you to do the same thing. More info about location on MSDN.