javascript - ASP.NET Forms Authentication with per session/page API token -
let me first start saying realize similar many other questions service access control can't seem find 1 response relevant on of points below, asking (possibly) again.
some background: building web application .net protected custom forms authentication implementation. same app (within same domain) needs leverage several rest services related data management within javascript/jquery many of app's functions not suited post use in forms.
i trying determine secure way implement access control rest service based on authentication done server side when app first accessed.
here example use case describing:
- user logs asp.net site using forms authentication , upon successful authentication user taken landing page of application
- the user chooses access page @ ~/users.aspx link on landing page, forms auth allows based on cookie created authentication in step 1
- users.aspx loads basic html elements, empty table , hidden field contains token (guid) generated @ page load. token in hidden field used javascript access rest service retrieves data populate table. token stored in database pre-defined expiration.
- when rest service called token checked expiration , used determine user making call , provide authorization data being accessed database, if user authorized access/update data service performs requested service operation, extends expiration on token, , returns response.
i know token visible sniffing request/response on network unless ssl used encrypt transmission, ssl used counter this.
my question is:
- are there other attacks service vulnerable to?
- is there better way handle authorization , user identification rest service based on server side login other statically assigned token service? seems me statically assigned user token less secure since give endless access service if obtained malicious user.
- assuming answer #2 no, there better way transmit token client , store there life of page use knowing needs accessible javascript/jquery?
Comments
Post a Comment