Safe way to save authentication token in one application js page

Our script:

Our solution consists of an MVC application that serves a javascript single page application and an Asp.Net WebAPI application that is intended to be used both as a standalone api and as a data source for a SPA.

We set everything up so that the two apps share tokens and membership, so if we're logged into the SPA, then the same authenticated cookie will also allow us to access the API.

This works great if you're making API requests in the browser's address bar, but not via AJAX. We followed the examples for configuring basic authentication with Thinktecture, and if we hardcode username / password as the authentication header for our ajax calls, then that works fine too.

My question, however, is what is the correct way to store these details on the client side? Our only real solution so far is to send a base 64 hash of the username \ password as part of the SPA bootstrap and then pull it out when needed. However, this seems insecure.

So, basically, just wondering what is the "right" approach in this situation ... are we close or is there another approach we missed?

Thank!

+3


source to share


1 answer


We use the session token support from Thinktecture.IdentityModel and then make the token available to the client using a dynamically generated script.

Details at http://ben.onfabrik.com/posts/dog-fooding-our-api-authentication



I've also posted a sample app demonstrating these concepts at https://github.com/benfoster/ApiDogFood .

0


source







All Articles