I am using the jQuery plugin to add support for SwfUpload by steven sanderson which allows files to be uploaded with ajax.
The problem is that Request.IsAuthenticated is always false with an ajax post. This means that User.Identity.Name = "" which doesn't allow me to load up values I need to save the file.
Is this by design and what is best practice?
EDIT: The request is authenticated when the page loads but only on the ajax post is it no longer authenticated. Other ajax calls are also authenticated properly.
Assuming that you are using forms authentication, I think the problem is that the swfUpload utility, which uses flash, isn't dragging along the proper authentication cookies for the site back to the server with it's post. You would have to go find out how to get the flash to bring the auth cookies back to the server with it's requests.
quick look:
http://www.google.com/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=pr3&q=swfupload+authentication+cookies&aq=f&oq=&aqi=
Related
I have one web application running on Struts. User is hitting below url directly from browser -
http://:/Test/servlet.do?name=XX&address=YYY
By default this request is submitted as GET by the user. Now my question is
1) how do I change user request to POST?
Use JQuery post or ajax methods, using an empty form with hidden keys.
There are plenty of browser add-ons that will let you send your request as POST (such as DHC by Restlet and Advanced REST client for Chrome)
Remember GET is inside the ans is set into links. POST are usually done by , or GET is possible too. So hitting a URL or link as you said is not possible to do over html, use PHP or Jquery so have it GET instead .
What is the best way to make authentication?
on frontend I use Angular.js
on backend: Ruby on Rails
Rails app using as API for my frontend.
UPDATE:
This is will be single page application.
Frontend wiil be developed in Angular.js, backend in Ruby on Rails.
In ideal I want to build backend as collection of resources returned in json.
I search best method of security implementation.
When user open the app I need to check if user authenticated.
If not - go to login page,
If authenticated - open that he wants and return needed resource from backend.
I think that I need to store auth token on the client side.
What is the best method to generate it, or maybe Rails already generate it for me?
I don't know Angular.JS at all but I will try to provide you general information on rails that you can use with any Javascript Framework.
For authentication, you just needs:
A model for users
a controller which handle login, this method check user login/password, create a session object with all information needed (session is stored on server side and a cookie is used on client-side to associate each request to a session)
A controller for handling logout which basically only destroy the user's session
You have a good implementation in the rails tutorial here, or you can find several plugins (authlogic seems to be the recommendation of stackoverflow usershere).
Then, there is few differences between handling authentication with static html pages or with AJAX:
A HTML request will send login and password to the controller, which will automatically redirect it to another internal page once the session create
In AJAX, the javascript on client side should send an ajax request, look for the answer by the server (success / failure) and launch adapted actions (message if failure, redirection if success)
In both cases, the important thing is to check that the user is authenticated at at each controller otherwise anybody would be allowed to launch action or access internal information.
I'm trying to do something similar and I found this example app which has been very useful to get me going in the right direction: https://github.com/karlfreeman/angular-devise
Also checkout further discussion about it here: https://github.com/karlfreeman/angular-devise/issues/1
And here's another repo which takes a slightly different approach: https://github.com/colindensem/demo-rails-angularjs
I ended up borrowing ideas from all of the above. Here's a working demo if anyone's interested: https://github.com/jesalg/RADD
Hope you can help. In my ASP.net MVC3 app, all my controllers descend from a customized controller I have created.
Upon FormsAuthentication time out, my app correctly redirects users to the login page if they attempt to access any page (standard functionality).
However, for Ajax.ActionLink and Ajax.BeginForm calls, they just return nothing, which confuses users if the browser is left open for more than 20 minutes and then they try to access an Ajax link.
Is there any code I can put in to my base controller that will work generically so that when it detects an inbound Ajax call and we have timed-out, it will redirect users to my login page as expected?
I don't mind if it doesn't return to the original page afterwards - happy for it to just go to the Home Index page.
Thanks in advance for any help you can provide.
Simon.
You may take a look at the following blog post which illustrates a nice way to prevent the FormsAuthentication module from redirecting to the logon page in case of an AJAX request and simply send a 401 status code to the client so that it can act accordingly.
I have an HTML form in MVC ASP.NET which the user fills out and the request goes to the server [AJAX] then we send a mail them to inform them. I use the hidden key to store information on the page.
I find that someone changed the key and then clicked then it's a problem that the mail go to other who are unknown for this case.
How can I be sure that nobody changes the hidden key and request is valid. The thing I want to do that HTML. antioforeignkey who is suitable for that.
But how can I implement antiforeignkey when I send AJAX request to server.
Are there any tricks to solve this problem in MVC?
Check out this link: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
This link will help with AntiForgeryToken and Ajax calls: http://blogs.us.sogeti.com/swilliams/2009/05/14/mvc-ndash-using-antiforgerytoken-over-ajax/
Be sure to add #Html.AntiForgeryToken() to your form then you can use jQuery to pull that value. With the value you can then add it to the data attribute of your jQuery Ajax call.
var token = $('input[name=__RequestVerificationToken]').val();
I'm using ASP.Net MVC beta 1 and I'm using the asp.net membership provider with the standard authentication controller to restrict access to my site.
I'm using ajax functionality to provide e.g. editing of values by loading partial views into a div with either jQuery $.get/$.ajax or with the Ajax.Actionlink MVC helper. This all works fine most of the time.
My problem comes once the login times out and you click on one of the ajax edit links - the ajax call returns the login page which is put into the div normally used for the edit form.
I want to find a way to redirect the whole page to the login form, when the authentication has timed out and an ajax link is clicked.
One way I can think of is looking at the html returned from the ajax call in the response callback and searching for the 'login' text or form field and doing a redirect from there - but this doesn't feel very clean - is there a better way?
This might help some:
Bypass Forms Authentication auto redirect to login, How to?
From the above answer it looks like http 403 isn't intercepted by Forms Authentication, so you can roll your own ActionFilter that returns an http 403 response if its an Ajax Request and Authorization failed.
On the client side, you could then check the response code for 403, and redirect to the appropriate login url.
There are probably other ways to do this as well!