All geek questions in one place

Access to an ASP.NET authentication ticket on the client (via javascript)

I have an ASP.NET site that uses forms authentication

<authentication mode="Forms"> <forms name="NewsCoreAuthentication" loginUrl="~/Default.aspx" defaultUrl="~/Default.aspx" protection="Validation" timeout="300" domain="someRootDomain.com" /> </authentication>

I need to determine if the user is authenticated on the web page after it has been transferred to the client. To do this, I thought I could read document.cookie and check if .ASPXAUTH is there. But the problem is that even if I signed this value, it is empty .

How to authenticate a user? Why is document.cookie empty?

Thanks for answers. blowdart helped me understand why the authentication ticket is not available from the client script.

+4
source share
3 answers

The reason this is empty is because the cookie is protected, marked as HttpOnly. This means that it cannot be accessed through a script. Disabling is a very bad idea, because the XSS vulnerabilities on your site could expose it to cookies, so I won’t tell you how you can do this.

+5
source

As others have said, an auth ticket MUST be httponly.

The best way to do this is to use ApplicationServices. The JSON authentication endpoint provides IsLoggedIn, and I noticed your concern about server loading. The overhead of invoking a static endpoint that just checks the cookie for you is negligible. In fact.

So, if you use MsAjax, just enable application services and call Sys.Services.AuthenticationService.IsLoggedIn.

If you want to do this from raw javascript, this is codez; -)

Add this segment to the configuration file

  <system.web> ------------ </system.web> <system.web.extensions> <scripting> <webServices> <authenticationService enabled ="true" requireSSL="false"/> </webServices> </scripting> </system.web.extensions>

Page....

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> <script type="text/javascript"> function createXHR() { // a memoizing XMLHttpRequest factory. var xhr; var factories = [ function() { return new XMLHttpRequest(); }, function() { return new ActiveXObject("Msxml2.XMLHTTP"); }, function() { return new ActiveXObject("Msxml3.XMLHTTP"); }, function() { return new ActiveXObject("Microsoft.XMLHTTP"); } ]; for (var i = 0; i < factories.length; i++) { try { xhr = factories[i](); // memoize the factory so we don't have to look for it again. createXHR = factories[i]; return xhr; } catch (e) { } } } function isLoggedIn() { var xhr = createXHR(); xhr.open("POST", "/Authentication_JSON_AppService.axd/IsLoggedIn", true); xhr.onreadystatechange = function() { if (this.readyState === 4) { if (this.status != 200) { alert(xhr.statusText); } else { alert("IsLoggedIn = " + xhr.responseText); } xhr = null; } }; xhr.setRequestHeader("content-type", "application/json"); xhr.send(null); } </script> </head> <body> <input type="button" value="IsLoggedIn?" onclick="isLoggedIn()" /> </body> </html>
+1
source

Number one ... this is a bad idea. There is absolutely no security when checking if the user is allowed on the client side. Are absent.

But if you really want to do this ... do a code check and push the value to the client, which can be read through Javascript. Something similar to:

RegisterClientScript ("isvalidated", "var isUserAuthenticated =" + UserAuthenticated);

Do you see the problem now? You can do the same in AJAX ... but it has the same problem.

Well, I see this as a simple convenience for the user ... showing certain links if they are authorized, for example. But he is not protected in any form or form. Just do yourself a favor and handle it in code.

0
source

Source: https://habr.com/ru/post/1302277/

More articles:


All Articles