How to share authentication between website and service for Ajax

Question

I have a WebSite (MVC 4) and WebService (Web API). WebSite has an authentication cookie and it decrypts that in order to send a secure token on to WebService when the WebSite server side code calls the service. That works fine.

However, the WebSite has JavaScript that I would like to call the WebService directly. I've tried sharing the MachineKey and Auth information, but the cookie is not carried across the WebApi.

My fallback is to route all calls to the WebService via the WebSite; but that's ugly and slow.

Any ideas?

Answer 1

The correct answer is Darin's. In order to share a login cookie between a services site and a web site, they will both have to be on the same domain; so e.g. the services site could be at

http://svc.mysite.com

And the web site could be at

http://www.mysite.com

Then the browser will allow the two sites to share the same cookie.

An alternative would be to have the site authenticate to the services site and get a token of some kind it could pass to the javascript. However, unless you were running on HTTPS this would be highly insecure, as the token would be available "in the clear".

A final mechanism (and the most common solution I think) would be to route all API accesses through the web site, but this is not ideal in many circumstances.