How to log cross-domain traffic within the network (including username) using HTTPHandler?
I am trying to log user activity for several internal websites as well as our SharePoint sites. I am using JavaScript to call (GET) to ashx page (HTTPHandler) which returns 1x1 invisible GIF. The HTTPHandler grabs the reference url, browser information, ip address, action (sent as a QueryString) and (the part I'm afraid with) the username. The username is collected using context.User.Identity in the HTTPHandler and Integrated Windows Authentication is enabled in IIS 6. The following is part of the js protocol:
logAction: function(action) {
try {
var i = new Image(1, 1);
i.src = "http://intranet/tracker/urchin.ashx?action=" + action;
} catch (e) {
//alert(e);
}
Using jQuery, I've added handlers to button clicks, link clicks, and uploads that call the ashx file and pass the action. (It's also called page loading).
It all worked fine, or so I thought ... It turned out that I was missing the initial page load event when the user first opened one of the pages, unless it was in the same domain as the HTTPHandler, Using Fiddler I could see the NTLM loop for pages (401.2, 401.1, 200), but only 401.2 for ashx. It looks like the browser will not send user credentials when the HTTPHandler call is cross-domain. The next page of user visits is logged correctly, but the first page is not logged.
Here are our domains:
- http: // intranet
- http: // sharepoint
- http: // dev <- HTTPHandler for tracking lives here
Is there something wrong with my design, or is it just web browser security? Thank!
source to share
You might want to see this: http://developer.yahoo.com/javascript/howto-proxy.html
You might not have much to worry about (which I can't provide an accurate technical answer for right now), but the above link will alert you to design issues / solutions / security considerations you should be mindful of what you are trying to achieve. You are right, there is a browser security issue that I know.
Also do google search for ajax firewall proxy. Some good readings for you there!
Good luck!
source to share