4

We have a single page application using the AngularJS framework that needs to talk to a API implemented in .NET Web API on a different domain.

The problem

The API is implemented in .NET Web API. To authenticate a user for access to our API we implemented the MVC Single Page Application template. This uses FormsAuthentication to grant acccess to the API.

We used Fiddler to debug. When we visited a controller on the API that required authentication directly in the browser we could confirm that the user was indeed authenticated. When we did a XMLHttpRequest, as suspected, no authentication cookies were sent in the headers.

What we would like to accomplish is to use FormsAuthentication to access the .NET Web API hopefully through XMLHttpRequests.

One proposed solution to this was to share sessions between the .NET Web API and the MVC. How can we easily maintain state between the .NET Web API and the MVC part of the project?

It's not very RESTful, we know, but we need a quick solution to this problem.

PS! The FormsAuthentication works with the .NET Web API controllers by using the [Authorize] attribute. It's only that the controllers can't be accesed with XMLHttpRequests.

Screenshot of fiddler when using XMLHttpRequest

XmlHttpRequest

Screenshot of fiddler when request is done directly in the browser Directly in the browser

Screenshot of a authentication controller to test Authentication controller

Improve this question
5
  • Is the Web API hosted in a different domain ?. They must be in the same domain to share cookies. Commented Apr 9, 2013 at 16:14
  • The single page application is on a different domain than the API. But the Web API and the MVC-project is on the same domain. Commented Apr 9, 2013 at 19:54
  • That's the problem. No matter the MVC project is in the same domain as the Web API. The client application doing the ajax calls runs on a different domain, so it's not passing the cookies Commented Apr 9, 2013 at 20:01
  • 2
    Hm, that's true. Thanks for the answer. I think i've found a solution that might work just as fine by using token based authentication. I'm following John Petersen's guide: codebetter.com/johnvpetersen/2012/04/02/… Commented Apr 10, 2013 at 8:54
  • Not a direct solution to you problem but we've started looking into JSON Web Tokens which is really interesting and can use the same Authorize attributes for authorization. It should let you do auth but also pass that auth onto your api. self-issued.info/docs/draft-ietf-oauth-json-web-token.html Commented Aug 21, 2013 at 14:35

1 Answer 1

Reset to default
0

This is a CORS request. You can use Microsoft.AspNet.WebApi.Cors library.

It's just need add ONE line at webapi config to use CORS in ASP.NET WEB API:

config.EnableCors("*","*","*");

View this for detail.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.