如何跨页面处理自定义令牌

Question

I have a custom log in that returns an encrypted Token, which indicates that a user is logged in. This Token is passed to another page(Dash.aspx) via QueryString.

Dash.aspx takes the token from the QueryString and posts it to a hidden field on the page. Javascript reads that value and holds it in memory. That Token is then used to make web service calls. When these calls complete a new Token value is returned, and javascript stores that value (replacing the old one).

I want to add new pages for access after log in. These pages will need a valid Token passed to them. A user would move from Dash.aspx to one of these new pages and back (so just a few different links at the top of a Masterpage)

I don't like passing the Token via QueryString. And I am not sure how to keep the Token updated where accessible on page change. I want to avoid using Session to store and pass the Token if possible

How can I pass my Token more discreetly and make sure it always passes the most up to date value?

I realize this is a fairly broad question, but im at a loss. I feel like there is probably some pre built idea that will handle this, i just dont know what or how to use it.

Thanks

Update

So an example was asked for:

Step 1: User logs in - > zholen/zholen123

• Service is called to validate username and password -> returns Token ('ABC')
• Redirect to Page Dash.aspx?token=ABC

Step 2: Dash.aspx grabs token from querystring and assigns to hidden field on page

• Javascript object grabs token from hidden field and stores internally
• JS Object makes several async calls to various services, each service returns a new updated Token, internal token is updated with new value( Tokens expire every 30 min )

---

Desired new steps

Step 3: Move from Dash.aspx to Account.aspx

• Account.aspx requires valid Token to load
• Call more services and change Token

Step 4: Move from Account to Dash.aspx with up to date token

---

Service calls are made either via a Web Service(asmx) or through page methods depending whether the action desires a data return (asmx) or an html return(page method -> table prefilled with data) or on page load

Based on suggestion of Cookies, I think it would be possible to reset the cookie with the new token value during these calls on C# end, assuming that i could do that kind of thing from an ASMX and that the async of the whole thing wouldn't cause issues.

Also I can make the JS object which internally stores an up to date token place that value back into the hidden field if that would help make it accessible from the C# end.

Answer 1

You could use cookies... You may want to use your intermediate encryption as cookies can be read externally.

        //c#

        HttpCookie cookie = new HttpCookie("myTokenCookie");
        cookie.Value = tokenString;
        Response.SetCookie(cookie);

        // then get it back later
        s = Request.Cookies["myTokenCookie"].Value;

        // then you could write it into a hidden input for retrieval in JS