asp.net mvc - MVC to WebAPI authentication for the same application -


i'm building website have mvc side , data webapi backend of our own, hosted on different server (or on azure). we're going use forms authentication.

since want users need log-in once (to mvc website), recommended way transparently authenticate users webapi backend same information entered on mvc forms authentication login?

since authentication works based on cookies, best way call webapi authentication action/method on login action of mvc app, auth cookie webapi , use on every call webapi end?

any guidance appreciated

gr7, can't i've ever attempted doing.

let me point out bothering me idea, , how think can make work.

you have asp.net mvc application running on 1 web server, , asp.net webapi application running on server. want use cookie 1 on other. how cookie mvc application valid webapi app? if username , password of user same on both systems, cookie generated 2 different applications not same it? clear, i'm not 100% sure it, suspicion.

here basis suspicion - let's run asp.net mvc application on azure cloud, , have load balanced (meaning have multiple instances, each running on different physical machine). user connects website, , authenticates on instance. navigates page on website, , load balancer ends sending him page on instance. believe required reauthenticate in case, since cookie not valid, though exact same mvc app. solution situation set same machine key on machines.

this discussed on msdn here: http://msdn.microsoft.com/en-us/library/eb0zx8fc(v=vs.100).aspx

and microsoft kb article: http://support.microsoft.com/kb/910443

there stackoverflow articles discussing this: does forms authentication work web load balancers? , .net forms authentication in azure - changes required multiple vms?

so guess should able set machine key same on both web servers, , pass cookie mvc application webapi application in order not make user authenticate twice. correct me if wrong.

the other solution hold on 2 cookies, 1 mvc app , other web api. need figure out store webapi cookie - since asp.net works in stateless manner, every time user clicks on different mvc page totally new transaction. maybe want users browser store both cookies. first time authenticates, authenticate him on mvc application, , webapi application, using same username , password, , send both cookies him (the mvc cookie automatically go him of course). each time navigates differnt page, both cookies sent mvc application, , have take 1 of them , call webapi application it. may need make sure both cookies not have same name (by default both aspxauth). can change name of mvc cookie in web.config using

<authentication mode="forms">   <forms name="myauthcookie" loginurl="loginpage.aspx" /> </authentication> 

that should allow store 2 cookies on user's browser , distinguish between them. i'm assuming both mvc , webapi on same domain, otherwise browser won't accept webapi cookie (or atleast won't pass in subsequent requests).

if answer helps, please vote, have barely rep :)

======================================

edit - adding in reply question below - wanted know how take cookie webapi gives mvc app, , return user's browser. start sending http post request credentials webapi mvc app, clear on everything.

let's use json send login information part of http request web api server mvc app. crate model in models folder of mvc app this:

using system; using system.collections.generic; using system.linq; using system.web;  namespace sitterwebsite.models {     public class myjsonloginmodel     {         public string username;         public string password;         public bool rememberme;     } } 

then in login() method in actioncontroller.cs, can add make request

string loginapibaseaddress = "http://mywebapiurl.com/"; string loginapiaddress = "api/accountapi/signmein";  myjsonloginmodel mydatamodel = new myjsonloginmodel() {         username = "gary",         password = "password",         rememberme = false, };  // create json formatter. mediatypeformatter jsonformatter = new jsonmediatypeformatter();  // use json formatter create content of request body. httpcontent content = new objectcontent<myjsonloginmodel>(mydatamodel, jsonformatter);  // going return cookie received web api controller browser // obtain http post request webapi in form of cookie object // need convert httpcookie object cookie cookietosendback = new cookie();   // cookie of type system.net.cookie httpcookie httpcookietosendback = new httpcookie("will_name_later");   // cookie of type system.web.httpcookie   // create new cookie container.  // attach cookie container http request // web api auth cookie automatically put container cookiecontainer cookie_container = new cookiecontainer();  httpclienthandler handler = new httpclienthandler(); handler.cookiecontainer = cookie_container; httpclient loginclient = new httpclient(handler);  // set base address of client loginclient.baseaddress = new uri(loginapibaseaddress);  // set web api address of client uri loginapiaddressuri = new uri(loginapibaseaddress+loginapiaddress);  // send http post request httpresponsemessage response = loginclient.postasync(loginapiaddressuri, content).result;   cookie mycookie;  if (response.issuccessstatuscode)  {      // let's access cookies cookie container since automatically populated     // cookies returned our http request (ie. cookies in http response).       ienumerable<cookie> responsecookies = cookie_container.getcookies(loginapiaddressuri).cast<cookie>();      foreach (cookie cookie in responsecookies)     {     if cookie.name.equals('.aspxauth')         cookietosendback = cookie     }      // want return cookie users browser     // httpcontext.response.cookies.add() method needs httpcookie object, not cookie object     // need convert cookie httpcookie     httpcookietosendback.name = "garycookie"; // changing name since both mvc , webapi name cookie .aspxauth     httpcookietosendback.value = cookietosendback.value;     httpcookietosendback.path = cookietosendback.path;     httpcookietosendback.expires = cookietosendback.expires;     httpcookietosendback.domain = cookietosendback.domain;       // note - if domain of webapi different mvc app, might want change in     // above statement, otherwise browser either not accept cookie domain, or     // not pass mvc app in next request      this.controllercontext.httpcontext.response.cookies.add(httpcookietosendback);  } else {     // http post webapi failed } 

so when go login page , type out credentials , hit submit, not mvc cookie get, webapi cookie. named "garycookie" per code above. everytime go page on website, browser request page , send both cookies mvc app. if wish call other webapi methods, need reverse of have done, meaning take modified webapi cookie "garycoookie" , rename was. , send headers when making or post request on webapi methods.

you should set domain of cookie match of mvc if webapi , mvc app not on same domain. otherwise browser not send cookie mvc app if request page.

and way, tested of now, works.


Comments

Popular posts from this blog

c++ - Function signature as a function template parameter -

algorithm - What are some ways to combine a number of (potentially incompatible) sorted sub-sets of a total set into a (partial) ordering of the total set? -

How to call a javascript function after the page loads with a chrome extension? -