1

Let us say the user is successfully 'cookie asp.net form authenticated'. (S)he can now perform a get request via action A of controller B. Let us say this returns HTML to the user's browser. This HTML contains some jquery code that performs a GET request to a action that also requires authentication (e.g. after the user hits a button). Is the jquery GET request automatically authenticated as the user is logged in and has a cookie? Hope this makes sense.

If not, what is the best way to check, if the request was a ajax one during the authentication/authorisation (e.g. in a filter attribute). Thanks!

Improve this question
4
  • you want to create a custom authorization filter for ajax calls Commented Mar 1, 2013 at 21:36
  • Thanks. So you reckon the answer is no and I need to detect whether the request is an ajax request in my filter attribute. Please feel free to post an answer. Commented Mar 1, 2013 at 21:42
  • To be more clear, Yes, you SHOULD authenticate the request. Even though the user is posting, he could have forged the request from outside your site. I hesitate to post an answer b/c you can take 2 approaches. You create a custom authorization filter and apply it to your ajax action method. Or you can check for isloggedin in you action filter. In both cases, if the user does not have authorization, your return JSon false. Or you return a custom error code. Commented Mar 1, 2013 at 21:47
  • Sorry you confuse me. The user is logged in (i.e. cookie created). The question is whether the ajax request 'appears' to be logged in as well. Let us ignore forgery for now. I am just looking at GET requests and just authentication - ignoring authorisation for now. Commented Mar 1, 2013 at 21:55

1 Answer 1

Reset to default
2

APS.NET Forms authentication uses a cookie like most any web authentication.

The cookie will be tied to the domain your requesting.

So ajax or regular request are all just HTTP requests (usually GET or POST) all requests to the server (depending on http headers) will include the cookie as part of the request.

How you implement the security on the server side is up to you.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This is in disagreement with Dave. Can you please provide some references - I did not find much - otherwise I would not have asked here. Thanks.
there is actually no disagreement. we are in effect saying the same thing. Only one answer is necessary.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.