I think the functionality can be achieved by implementing the access control in Business logic. (My idea of application is that your aim is to restrict input to a particular module... Am I right!!!)

I'm trying to restrict it to a form post, so that no other method of consuming the service can be used.
there's got to be some sort of attribute or config setting that can achieve this, but since I rarely ever use webservices in .net i dunno.

One way is to set some Session variable and check its status before loading the web service

Modify the web.config for your web service as below:
<configuration>
<system.web>
<webServices>
<protocols>
<add name="HttpPost" />
</protocols>
</webServices>
Stu

The following will add support for HttpPost and does not allow HttpGet, I need to check if this prevents SOAP requests.
<configuration>
<system.web>
<webServices>
<protocols>
<add name="HttpPost" />
</protocols>
</webServices>

I now about the protocols bit but is there a way to define this for a single function (setting this specifies an http post for all methods). I was trying to get around this global declaration, but if its the only way then its the only way... I was just hoping for another.
thx

You could do it in code by checking as follows.
if (Context.Request.RequestType != "POST")
{
//Fail
}
else
{
//Succeed
}

this is exactly what I was looking for thankyou!!!
in PHP there is a _POST associative array that allows you to use post variables only and that is what I was hoping for here, so thankyou.