I understand how to use Basic Authentication with jquery, that’s not my issue.
Here’s the structure I have:
Web Site (MVC.net 4 with forms authentication with a custom membership provider)
Web Services (Web API)
MVC.net website calls the web services to authenticate and gets the forms authentication stuff done for login.
Each page will then use SPA principles to get data. The server will only do basic HTML stuff.
So I need to get the credentials into the jquery somehow to do the service call.
The problem is that the password is never stored. Only a hash. It would be fine to put the password in the session and pass it into the page for use (Everything is SSLed where this will occur and the service is ssled) but that presumes that the user is entering the password.
Of course the user can choose “remember me” so the user will never be prompted to login in those cases so I won’t have the password.
Anyone have any (secure) suggestions on how to accomplish this? Where can I safely store the password that jquery will use?
Thanks!
There are are 3 solutions that I found that will work for this:
Share Forms Authentication information between the two sites. This will work if you setup the machinekey information to be shared with the same cookie name etc. Note: This only works for domain/sub domain. It will not work for 3rd level domains.
Use OAuth and get a token and share that with the page so that jquery has access to it and can pass it properly. This requires that the token be visible in the HTML. Given that it’s passed and visible in fiddler etc. for any oauth request this isn’t hugely less secure but…
Login with a web site specific l/p, validate the user, and get a randomly generated GUID or similar token from the server that has an expiry date on it. Put this in the source of every page. Then jquery could pass this as the Authentication header and it would work for that user for the length of time that the token had that wouldn’t expire (it might be sliding). This is very similar to OAuth but would work outside of oauth to have different rules for our site. Obviously the token is still visible per #2.
Currently we support Basic (Because the services are ssled), and OAuth. The website uses Forms Authentication, so we chose to enable forms authentication on the API server as well and use the shared token for the forms authentication to do the authentication for the jquery. The reason we’ve chosen this path is that if we’d used OAuth the token would have been visible in the source of the page on every request. While this isn’t necessarily bad, unless someone comes to your computer while you’re away and does a view and then can forge requests, we felt that since we had Forms Authentication available that that would be the best way to got about it without exposing anything at all on the client side.
Please let me know if anyone sees any security risk with this! I can’t see one and no one else seems to see any issue with sharing forms authentication from what I can find online but! This has to be SECURE.