How to determine if the webservice call comes from the Forms authorised page?

Question

I have an asp.net web application in which i use several we services to serve several ajax requests. The problem is how to determine whether the corresponding call comes the page that i have served. I use forms authentication in my pages. Is there any way in which i can authorise the user calling the weservice through the same forms authentication.

Answer 1

Great question, no doubt!

This reminds me an old question I already answered to. Your scenario is different, but the root problem remains the same: if you call a web service from a Web Form, how to share authentication data with the form?

There is no simple and close-form solution to that. You can think about implementing WS-Security into the Web Service, and have the Web Form authenticate itself against the Web Service after checking that the user is authorized.

The Web Service won't share information about user login unless explicitly passed as parameter method (ie. void PerformAction(string userId, ...)), but remember that in this case the perspective changes dramatically.

This is the best idea that comes into my mind, however, keep in mind that either you deeply redesign your web service or you are unable to let user-generated clients (ie. desktop applications compiled against your WSDL) to use your service.

[Add] now that you explained your scenario a little bit more detailed, here comes the exciting part of software engineering :)

As I said in my comment, you have multiple options, for example:

1. Storing username/password in page's markup (in Javascript variables) and have JQuery send them as a parameter for the web service. WS will then authenticate the request basing on that data. Unrecommended because if someone can access user cache the password is exploited (there are easier means to stole someone's password on a shared/public computer, I won't discuss them), and also because if you plan to switch from plain HTTP to HTTPS to secure authentication then you must secure the web service too
2. Have web application generate an authentication token that is valid for the web service. The idea sounds like this: first, have a shared object between webapp and web service (like an object inside Application collection) or, if webapp and web service are on different servers, use a DBMS; then, for each webapp's successful authentication, generate a unique token (session ID can be fine) and store it in a JS variable that will be passed to web service; finally, when web service is invoked, check against that shared object that the token is valid (ie. user is authenticated and still logged in, with permission to access that web service, so both authentication and authorization), otherwise reject

If other guys have ideas, don't hesitate to help ;)

Answer 2

This might help: Securing web-services created using ASP.NET

-- Pavel

Answer 3

Since you are doing Forums authentication you can do something like this in your WebMethod

If Not HttpContext.Current.User.Identity.IsAuthenticated Then
    Return Nothing
End If

It might be better to throw an exception if you are doing an GET though, that way the empty result doesn't get cached on the client side.