Reputation: 6685
Forms authentication cookie not sent in ajax post from http to https (the same domain)
I'm sending AJAX form from page in http scheme to https url (the domain, and the appliaction is the same). I use MVC 3 Ajax helper:
@using (Ajax.BeginForm(MVC.Payment.Confirm(), new AjaxOptions
{
HttpMethod = "Post",
UpdateTargetId = "myId",
InsertionMode = InsertionMode.Replace,
OnBegin = "$('#popupAjaxLoader').show();",
OnSuccess = "$('#popupAjaxLoader').hide();",
Url = "https://same.domain/payment/confirm"
}, new { @action = "https://same.domain.com/payment/confirm" }))
{
...
}
In the application I use forms authentication:
<forms loginUrl="~/Account/LogOn" timeout="2880" name="MYCOOKIENAME" />
In firebug I can see that the authentication cookie is not sent to the server when submiting the form, so the handler fails (the request need to be authorized). How can I force Ajax.BegiForm to attach authentication cookie?
UPDATE:
It turned out that the solution given by counsellorben works if there is no need to receive any information back from the ajax request. Sending Ajax POST from HTTP to HTTPS works fine (cookies are not attached, so you have to POST all neccessary data as hidden form fields), but the server response is not accessible for javascript because of Same Origin Policy. Eventually I had to abandon Ajax and place the form inside iframe referencing HTTPS url which seems to be the ultimate solution for this problem.
Upvotes: 0
Views: 4109
Answers (1)
Reputation: 10924
Your problem is that this violates the Same Origin Policy. See the response to this question: Same origin policy with same domain, but https.
UPDATE
If it is not possible to make the entire portal use HTTPS, then the alternative is to use a different authentication scheme for your AJAX form submission.
I would suggest creating a GUID token for the AJAX form, storing the GUID in your repository along with (1) its creation time and (2) the ID of the user to which the GUID was assigned. Then pass the GUID in a hidden field on your AJAX form.
Remove the [Authorize] attribute from the action being called via the AJAX form, and instead check in your action that a GUID is passed, the GUID is valid, and it has not expired (setting an expiration time of 20 minutes, or whatever is valid under these circumstances). Use the GUID token to identify your user, and proceed as necessary.
Also, you should have some method to purge expired GUID tokens.
This should provide adequate security, since the GUID token is issued to an authorized user, and identifies the user submitting the AJAX form. It also permits you to use HTTPS only for the AJAX form submission, since you are no longer relying on the authentication cookie being passed.
Upvotes: 2
Related Questions
- Auth cookie dissapears after login over HTTPS
- AJAX request not sending cookies (NET 5)
- Cross domain POST request is not sending cookie Ajax Jquery
- Aspnet core cookie [Authorize] not redirecting on ajax calls
- ASP.NET MVC Ajax form submitted cross domain not sending Cookies
- JQuery ajax call on same domain not sending cookies when data is sent
- Ajax POST FormData not working in https(Secured Link)
- ASP.NET MVC Website Partial SSL Authentication cookie not submitted in request
- Cookie set by asynchronous HTTPS request not showing up
- 3rdParty cookies issue when using crossdomain ajax