Reputation: 12852
Using Forms Authentication with WebAPI when the client is in a different domain?
Related question:
Authentication in .NET Web API using MVC FormsAuthentication
I have a client application that lives outside of my WebAPI solution's domain (right now two different solutions on localhost - one on port X, the other on port Y). I'm attempting to use forms authentication with code like this:
if (WebSecurity.Login(model.UserName, model.Password, persistCookie: true))
{
var response = Request.CreateResponse(HttpStatusCode.OK, "logged in successfully");
return response;
}
In something like POSTMan this works, but using the client / JS application, the cookie does not get saved, so the user is never truly authenticated. I see the _RequestVerificationToken, but never the .ASPXAUTH token.
A requirement of this application is to use forms auth by setting cookies using WebSecurity. Is this possible when client and server are on different domains?
If there's anything else I can provide to make this issue clearer, please let me know.
Upvotes: 1
Views: 575
Answers (1)
Reputation: 19311
Assuming you are using CORS. By default, cookies are not enabled with CORS. In jQuery, you need to set
xhrFields: {
withCredentials: true
}
Also, the server must send the response header Access-Control-Allow-Credentials: true.
Upvotes: 2
Related Questions
- MVC WebAPI authentication from Windows Forms
- how can authenticate a client on a different machine on a WebAPI with a user from WebAPI's domain?
- Cross domain issues while accessing ASP.NET Web API Restful services:
- Cross domain authentication of Web API
- MVC to WebAPI authentication for the same application
- Using Forms Authentication with Web API
- Configuring WebAPI for Forms Authentication
- Using Forms authentication cross domain
- Authentication between mvc and webapi (Separate domains/Applications)
- Method for Sharing Forms Authentication Login between MVC.net and Web API Sites on the Same Domain