Authentication in Web API project using the session that is from ASP.NET Web Forms project

Question

I know it is bad and not recommended, but unfortunately, I am dealing with a legacy product and has limited permissions to make reasonable changes to avoid this.

In my solution, I have an ASP.NET Web Forms website, and I have recently added a new ASP.NET Web API project.

The Web Forms website is session and cookie based (HttpContext.Current.Session).

I have to stick in a single page React app into a page inside Web Forms. The requirement for the React app is to use a separate ASP.NET Web API based endpoints while using the current authentication available in ASP.NET Web Forms.

The react is able to access the local cookie, and there is no problem with organizing the project itself, placing js files etc.

The only problem is - how do I authorize the requests made from React to the Web API? I have to use ASP.NET Web Forms session.

Thanks for the guidance.

Answer 1

Have your React app use the cookie when sending a request to the Web API (either in the header if the domain names allow, or make a special authentication call were you send the content of the cookie in the body of the HTTP request to the API).

Then your Web API can make an HTTP request to the ASP.NET app with the cookie. If it gets back anything but a 401, then you known the cookie is good.