Hello,
I want to create a login mechanism for my web platform that I'm building. It's .net 6 (cshtml pages).
My login page uses a js-file with control handlers and Ajax calls. The login page (and the other UI) are hosted with the https protocol.
The Ajax calls go to a web api (https).
At the moment I host it locally on IIS10 (windows 10). I use 2 different domains.
My thought:
- I put the credentials in a cookie (at the moment not yet encrypted)
- Via an Ajax call I have to send this cookie to the server
- In the login controller I can verify if the username/password is correct
- If it's correct I can create a token to send back to the client that it can use for further calls until the end of the session.
Which is safer, putting the credentials in a cookie? Or as parameters of the Ajax request?
I also read that using jsonp could be the solution but its older and unsafer than json, right?
I think I need to set extra response headers in the login controller to let the controller 'pick up' the cookie.
Now the debugger comes in the code but the length of the cookies in the request is 0.
Or are there 2 calls needed?
What I have tried:
Client
...
var sURL = "https://bbb.api/Login/SetUserVariables";
var sMethod = "POST";
var sDataType = "json";
document.cookie = `username=${gebruikersnaam};Path=/;Secure;SameSite=None;Domain=aaa.local;`
document.cookie = `password=${password};Path=/;Secure;SameSite=None;Domain=aaa.local;`
return $.ajax({
url: sURL,
method: sMethod,
dataType: sDataType,
xhrFields: { withCredentials: true },
crossDomain:true,
async: true
});
...
Server
...
string sUsername = Request.Cookies["username"];
string sPassword = Request.Cookies["password"];
Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Origin", new StringValues("https://aaa.local:443")));
Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Credentials", new StringValues("true")));
Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Methods", new StringValues("POST")));
Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Headers", new StringValues("Content-Type, *")));
Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Domain", new StringValues("aaa.local")));
...