forum

Home / DeveloperSection / Forums / Webmethod unAuthorized access

Webmethod unAuthorized access

Barbara Jones 2536 25-Nov-2014

I have implemented the new ASP.NET Identity model into my site. I can log in ok, but when I now try and call one of my WebMethods from client script, I get the following repsonse:

Do I need to do anything special to my WebMethod calls now? 

Login code is: 

    private const string AntiXsrfTokenKey = "__AntiXsrfToken";
    private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
    private string _antiXsrfTokenValue;
 
    protected void Page_Init(object sender, EventArgs e)
    {
        // The code below helps to protect against XSRF attacks
        var requestCookie = Request.Cookies[AntiXsrfTokenKey];
        Guid requestCookieGuidValue;
        if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
        {
            // Use the Anti-XSRF token from the cookie
            _antiXsrfTokenValue = requestCookie.Value;
            Page.ViewStateUserKey = _antiXsrfTokenValue;
        }
        else
        {
            // Generate a new Anti-XSRF token and save to the cookie
            _antiXsrfTokenValue = Guid.NewGuid().ToString("N");
            Page.ViewStateUserKey = _antiXsrfTokenValue;
 
            var responseCookie = new HttpCookie(AntiXsrfTokenKey)
            {
                HttpOnly = true,
                Value = _antiXsrfTokenValue
            };
            if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
            {
                responseCookie.Secure = true;
            }
            Response.Cookies.Set(responseCookie);
        }
 
        Page.PreLoad += Home_Page_PreLoad;
    }
 
    protected void Home_Page_PreLoad(object sender, EventArgs e)
    {
        if (!IsPostBack)
        {
            // Set Anti-XSRF token
            ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
            ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
        }
        else
        {
            // Validate the Anti-XSRF token
            if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
            {
                throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
            }
        }
    }

and my page load looks like: 

protected void Page_Load(object sender, EventArgs e)
    {
 
        if (!HttpContext.Current.User.Identity.IsAuthenticated)
        {
            //Redirect to Default page
            Response.Redirect("~/Account/Login");
        }
 
        if (!IsPostBack)
        {
           ....
        }
    }


Updated on 26-Nov-2014

Can you answer this question?


Answer

1 Answers

Liked By