Home/ Questions/Q 7186461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T18:38:10+00:00

I have an existing asp.net mvc website that uses basic forms authentication. The site

  • 0

I have an existing asp.net mvc website that uses basic forms authentication. The site has a login page that posts back to a login action, which logs the user in via FormsAuthentication.SetAuthCookie(). I am looking to add an api to the site, as an mvc2 area, where users would be authenticated based on a token passed as an http header. This area will consist of only json actions, so redirecting the user to a login page doesn’t make sense. Instead, I want the users to just pass a token along with each request. That token is mapped to each user account and the user would be authenticated automatically.

I’m struggling with where to put this logic. At this point, the best choice seems to be adding the header lookup logic and authentication to the Global.asax in the Application_AuthenticateRequest method. I want to avoid needing to redirect the user after calling FormsAuthentication.SetAuthCookie(), though. I want the login action to be transparent to them.

Am I approaching this the wrong way?

As a side note: Requiring a username/password for api requests is not possible, as the site has a mix of users. Some joined using OpenID while the rest joined with a username/password.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Went down the road of adding header lookup to the Application_AuthenticateRequest event in Global.asax. The code looks something like:

    private const string AuthorizationHeader = "Authorization";

if (!string.IsNullOrWhiteSpace(request.Headers[AuthorizationHeader]))
{
  try
  {
    // Remove Basic from beginning and then decode the string
    var token = request.Headers[AuthorizationHeader].Substring(6);
    token = new ASCIIEncoding().GetString(Convert.FromBase64String(token)).Split(':')[0];

    return UserService.FetchByApiToken(token);
  }
  catch
  {
  }
}
    • 0