AJAX对WCF服务身份验证的请求
[英]AJAX Request to WCF Service Authentication
问题描述
If anyone could assist me with this I'd be grateful. 
如果有人可以帮助我,我将不胜感激。 Currently I'm implementing some jQuery AJAX methods on our ASP.NET application to GET and POST data to our server. 当前,我正在ASP.NET应用程序上实现一些jQuery AJAX方法,以将数据获取和发布到我们的服务器。 We would like some form of authentication on this that is lightweight and fairly fast to implement. 我们希望对此进行某种形式的身份验证,这种身份验证是轻量级的,并且实现起来相当快。
Currently with each AJAX request it sends the Forms Authentication cookie to our WCF service, as seen on Fiddler. 当前,每个AJAX请求都会将表单身份验证cookie发送到我们的WCF服务,如Fiddler所示。 When we receive a request to our WCF service, it has a method that decrypts the Forms Authentication cookie. 当我们收到对WCF服务的请求时,它具有一种对表单身份验证cookie进行解密的方法。 Currently it will only give a response with data if the cookie is not null and it hasn't expired. 当前,仅当cookie不为null且尚未过期时,它才会给出带有数据的响应。 This works fine and well, and the only way the cookie exists is if the user has passed our secure log-in system. 这可以正常工作,并且cookie存在的唯一方法是用户已通过我们的安全登录系统。
What I want to know is whether this is a valid form, albeit basic, of securing our AJAX calls. 我想知道的是,这是确保我们的AJAX调用安全的有效形式,尽管很基本。
Is it easy to imitate forms cookies? 模仿表单cookie容易吗? Is it possible to circumvent the forms cookie? 是否有可能规避表单cookie? Any advice would be appreciated as I'm a little out of my depth here. 任何建议都将不胜感激,因为我在这里不甚了解。
EDIT: We currently have SSL and secure HTTPS transport enabled also. 编辑:我们目前还启用了SSL和安全的HTTPS传输。
Here's an example of our code: 这是我们的代码示例:
private bool AuthenticateAJAXRequest()
{
// assume user is not authenticated
bool authenticated = false;
if (HttpContext.Current != null)
{
if (HttpContext.Current.Request != null)
{
var authCookie = HttpContext.Current.Request.Cookies["authCookie"];
if (authCookie != null)
{
FormsAuthenticationTicket fTicket = FormsAuthentication.Decrypt(authCookie.Value);
if (fTicket != null)
{
if (!fTicket.Expired)
authenticated = true;
}
}
}
}
return authenticated;
}
1 个解决方案
解决方案1
1 2014-03-28 12:36:56
First of all, AJAX (XHR - Xml Http Request) async request is bound by the "Same-Origin" policy. 首先,AJAX(XHR-Xml Http请求)异步请求受“ Same-Origin”策略约束。 Which means a browser will implicitly refuse/restrict to make an AJAX calls to a server other than the one the page originated from. 这意味着浏览器将隐式拒绝/限制对除页面所源自的服务器之外的服务器进行AJAX调用。 This takes care of cross-domain scripting attacks. 这样可以解决跨域脚本攻击。 (You could still make cross-domain async calls using JSONp or using script tags manually, but that's a whole other ball game not in the current scope of discussion.) From what I gather, if you just check for cookies and don't have a fall back then you are going be in trouble as some users could have turned the cookies off in their browsers. (您仍然可以使用JSONp或手动使用脚本标签进行跨域异步调用,但这不在当前的讨论范围之内。)从我的经验来看,如果您只是检查Cookie而不必回退一下,您将会遇到麻烦,因为某些用户可能已在其浏览器中关闭了Cookie。 Instead, I recommend using user level unique ids that you can store and retrieve for each user session. 相反,我建议使用可以为每个用户会话存储和检索的用户级唯一ID。 Send this unique id(s) as part of the each Ajax request and validate it against your data store (either cached or persisted) on the server. 将这个唯一的ID作为每个Ajax请求的一部分发送,并针对服务器上的数据存储(缓存或持久化)验证它。 This way you can rest assured that this system will still work regardless of the cookies. 这样,您可以放心,无论cookie如何,该系统仍然可以运行。 Also make sure you destroy the unique id after a user logs off so that any future request(s) (either full page or Ajax) is not honored. 另外,请确保您在用户注销后销毁了唯一ID,以免将来执行任何请求(全页或Ajax)。 Hope this answers your question. 希望这能回答您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.