Authentication using Webservice and Javascript

Question

I am build a small web app with all HTML controls and have used javascrip and webservices for all my work.

Now i need to add Login Authentication to my App. Normally i would have done this with ease with Server side code.

       FormsAuthentication.SetAuthCookie(strUSername, createPersistentCookie)

But i need to achieve this using purely Javascript and Webservice calls.

       function Autheticateuser(strUser,strPwd)
       {
          Webservice.AuthenticateUser(strUser,strPwd,SetAuthentication,FailAuthentication)
       }

But since Javascript is not secure, any one can manipulate this on the browser. How can i make this secure and also keep it away from Server side code.

Answer 1

web service calls are lying open in javascript it can be called by any malicious script easily to try combinations of username and pwd to break into the system.

The forms authentication controller is not very different from a web service. It takes a form post from an anonymous user with id/password and returns a cookie. This can be called by a script just as easily. That's why you build safeguards (lockout after several unsuccessful attempts) for the authentication.

You don't want to use cookies with Web API services. The easiest thing to do for you is to look into MVC5 SPA application or Web API 2.0 authentication. These come with Visual Studio 2013 and .NET 4.5. The web services have built in OAuth token support, which is the proper way to do authentication/authorization for web services. You can do it with earlier versions of MVC, but need to get external libraries for OAuth support.

This is a good video to get into web api security.