0

Im building a WebAPI for an old legacy VB.NET based webforms app which uses ASP.NET Membership and Forms Authentication. I need to be able to access the Membership object easily in each request.

In my API, I have managed to get this working by basically passing the aspx AUTH cookie on each request which requires authentication and I can use the [Authorise] tag to protect the service. This works pretty well but I am concerned about the security of this.

I have seen a few posts about coupling this or replacing it with basic auth, but I dont see how I would get hold of my membership objects if I went down this route?

It would be great to know how people have achieved using ASP.NET Membership and WebAPI!

Raj
  • 897
  • 1
  • 15
  • 28
  • What actual concerns you mean? Any links? Without anyting specific all that can be said is that a webapi request guarded with forms auth is as secure as any other forms auth request. – Wiktor Zychla Aug 08 '16 at 21:36
  • Concerns such as cross site forgery mainly (although I will be using SSL of course). The main concern is mixing quite old school technology with REST, and I am wondering if there is a better way to go about it. I found this link which is interesting, but I couldnt seem to get access to my membership objects. http://www.codeproject.com/Tips/996859/Forms-Authentication-using-Web-API – Raj Aug 08 '16 at 21:52
  • These two, authentication and actual request handling, are independent. And there is nothing wrong with forms auth, it hasn't yet been proven insecure and is used throughout thousands of sites. Thus, when a new approach to request handling is designed, it is perfectly valid to combine it with any existing auth mechanisms. Note that the basic auth is even older, according to the "old school" logic it shouldn't be used either (which is not true of course). – Wiktor Zychla Aug 08 '16 at 22:05
  • Thanks Wiktor. I am not saying there is anything wrong with forms auth - I myself use it on most of my apps. What I am asking is whether there is a preferred way to use be able to authenticate and have access to the Membership objects when creating an API. Agreed basic auth is fine, but I am not looking to protect requests for the sake of protecting, I am interested in getting the specific user so I can respond with user specific data etc. I guess I am looking for a good example. – Raj Aug 08 '16 at 22:15
  • Take a look at my answer to a similar question asked like 3 years ago http://stackoverflow.com/questions/19757874/asp-net-web-api-how-to-authenticate-user – Wiktor Zychla Aug 08 '16 at 23:31
  • @Raj What do you mean by `membership objects`? What can you not able to retrieve from IPrincipal object when you use Web API? – Win Aug 18 '16 at 01:51

0 Answers0