-1

Our project consists of an MVC area which handles authentication/authorization and rendering of pages, and an API area which also requires authentication/authorization and sends data to the page. We decided to go stateless for the server, so each request must include the authorization header with the user's credentials.

I accomplish this with the API calls with xhr.setRequestHeader('Authorization', 'Bearer ' + authCookie); in jquery's beforeSend, however I am unsure how to do this for the MVC side (each time you click a link or enter a URL, the request should include the Authorization header). Currently I'm doing this inside Application_BeginRequest and setting Request.Headers["Authorization"] = Request.Cookies["auth"];, but I want the Authorization header to be in the initial request, and not just tacked on after the request has been sent.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
Brett
  • 2,706
  • 7
  • 33
  • 49
  • [I've removed the tags from your title](http://meta.stackexchange.com/questions/61055/when-should-we-remove-pseudo-tags-from-a-title). – Erik Philips Sep 19 '13 at 04:24

1 Answers1

2

I believe you won't be able to set Headers; when the browser directs you to a link via an anchor click (unless you catch all anchor clicks using jquery, seems like overkill), nor will headers be sent on Form submits (Get/Post, unless you again catch all forms submissions), and the killer is the fact that server side redirects will also not resend any custom headers.

Instead of answering how to do something in jQuery, I would highly recommend reconsidering your design because based on the above facts, you will most likely run into technical limitations.

Community
  • 1
  • 1
Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • Just to clarify, the jQuery is used for attaching the auth header before sending ajax calls to the API and is not used for navigating pages. If I can't persist the Authorization header for all requests, is grabbing the credentials from the request cookies the best way to send credentials on every request? This is what I did initially, but I thought since there's a header specifically for Authorization, I should try use that. – Brett Sep 19 '13 at 05:33
  • Are you using the WebAPI? – Erik Philips Sep 19 '13 at 06:26
  • Well my solution is separated into an API project and an MVC project (may not be best, but I thought there would be conflicts with controllers if I had them in the same project). It's the MVC project that I have difficulties with for the Authorization header, since for the API I only ever call using ajax, so I can explicitly set the Authorization header before sending the request. – Brett Sep 19 '13 at 06:50
  • Controllers don't have to conflict if you use the namespaces parameters in [MapRoute()](http://msdn.microsoft.com/en-us/library/dd460158(v=vs.108).aspx). Regardless, you can also [share cookies across different ASP.Net products overiding the domain for cookies](http://stackoverflow.com/a/7592668/209259). So unless you are using Windows Auth (not recommended), there isn't any reason both sites can't share authentication with simple web.config change. – Erik Philips Sep 19 '13 at 07:12
  • Excellent. Thanks for all the info. One final question: could you provide more information on the "simple web.config change"? Duplication of my authentication/authorization is probably my biggest concern with splitting these into separate projects. Thanks. – Brett Sep 20 '13 at 00:55
  • I updated the link on my previous comment with all the instructions. – Erik Philips Sep 20 '13 at 01:39
  • Sorry I down voted your answer, it is only a miss click. and I can not remove it. – pix Sep 07 '16 at 09:37