0

I am build a small web app with all HTML controls and have used javascrip and webservices for all my work.

Now i need to add Login Authentication to my App. Normally i would have done this with ease with Server side code.

       FormsAuthentication.SetAuthCookie(strUSername, createPersistentCookie)

But i need to achieve this using purely Javascript and Webservice calls.

       function Autheticateuser(strUser,strPwd)
       {
          Webservice.AuthenticateUser(strUser,strPwd,SetAuthentication,FailAuthentication)
       }

But since Javascript is not secure, any one can manipulate this on the browser. How can i make this secure and also keep it away from Server side code.

Improve this question
5
  • What do you mean by "keep away from server side"? Commented Jan 29, 2014 at 22:39
  • means i do not have code server side. Commented Jan 30, 2014 at 5:43
  • If all operations are done in the browser with Javascript code and you want to authenticate users with javascript code before, then I am afraid this won't work. Commented Jan 30, 2014 at 6:04
  • No i do not want to authenticate entirely in JavaScript code. By server side code i meant the code behind of a aspx page. I wwill be passing the username and pwd to a webservice for authentication. But since web service calls are lying open in javascript it can be called by any malicious script easily to try combinations of username and pwd to break into the system. Commented Jan 30, 2014 at 8:51
  • If you call a webservice that takes username/password and returns forms cookie in the response and then your consecutive calls carry the cookie when going to server, then this WILL work. No one will be able to craft the cookie purely at the client side. Commented Jan 30, 2014 at 8:53

1 Answer 1

Reset to default
1

web service calls are lying open in javascript it can be called by any malicious script easily to try combinations of username and pwd to break into the system.

The forms authentication controller is not very different from a web service. It takes a form post from an anonymous user with id/password and returns a cookie. This can be called by a script just as easily. That's why you build safeguards (lockout after several unsuccessful attempts) for the authentication.

You don't want to use cookies with Web API services. The easiest thing to do for you is to look into MVC5 SPA application or Web API 2.0 authentication. These come with Visual Studio 2013 and .NET 4.5. The web services have built in OAuth token support, which is the proper way to do authentication/authorization for web services. You can do it with earlier versions of MVC, but need to get external libraries for OAuth support.

This is a good video to get into web api security.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.