0

I have an ASP.NET MVC Single Page Application. On the page is a login area with a submit. When the submit is clicked the information is sent to a WebAPI controller and this authenticates on the server (ASP.NET Identity 2 and WebAPI 2). The server then sends a status HTTP response back to the browser to confirm or not if the user was authenticated (signed in).

Now the web page changes and shows a new visible area that has the ability to send PUT's POST's etc to the WebAPI on the server. However how can these convey to the server that the user is now authenticated?

Alan2
  • 23,493
  • 79
  • 256
  • 450

2 Answers2

2

It is (roughly) exactly the same mechanism as all web browser authentication. Upon authentication the server creates a cookie that is stored in your browser that is transferred to the server when you make requests and within it is a token that says "hey, you know me" and the server looks at it and says "yes, I do".

Jeremy Cook
  • 20,840
  • 9
  • 71
  • 77
2

Web server sends encrypted authentication cookie back to web page and all further requests from that page send that cookie back to server.

So it looks like this:

// initial page request
client -> server: give me the page
server -> client: no cookie, you are anonymous, here is your page
// ajax authentication request
client -> server: here are my credentials
server -> client: ok, you are in, here is the authentication cookie
// any other request
client -> server: i want to do something, and here is the cookie 
server: [decrypts cookie] i know this guy
Anri
  • 6,175
  • 3
  • 37
  • 61