Home > DeveloperSection > Forums > Webmethod unAuthorized access
Barbara Jones

Total Post:13

Points:91
Posted on    November-25-2014 10:01 PM

 ASP.Net Authentication  Authorization 
Ratings:


 1 Reply(s)
 689  View(s)
Rate this:

I have implemented the new ASP.NET Identity model into my site. I can log in ok, but when I now try and call one of my WebMethods from client script, I get the following repsonse:

Do I need to do anything special to my WebMethod calls now?

 

Login code is:

 

    private const string AntiXsrfTokenKey = "__AntiXsrfToken";

    private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";

    private string _antiXsrfTokenValue;

 

    protected void Page_Init(object sender, EventArgs e)

    {

        // The code below helps to protect against XSRF attacks

        var requestCookie = Request.Cookies[AntiXsrfTokenKey];

        Guid requestCookieGuidValue;

        if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))

        {

            // Use the Anti-XSRF token from the cookie

            _antiXsrfTokenValue = requestCookie.Value;

            Page.ViewStateUserKey = _antiXsrfTokenValue;

        }

        else

        {

            // Generate a new Anti-XSRF token and save to the cookie

            _antiXsrfTokenValue = Guid.NewGuid().ToString("N");

            Page.ViewStateUserKey = _antiXsrfTokenValue;

 

            var responseCookie = new HttpCookie(AntiXsrfTokenKey)

            {

                HttpOnly = true,

                Value = _antiXsrfTokenValue

            };

            if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)

            {

                responseCookie.Secure = true;

            }

            Response.Cookies.Set(responseCookie);

        }

 

        Page.PreLoad += Home_Page_PreLoad;

    }

 

    protected void Home_Page_PreLoad(object sender, EventArgs e)

    {

        if (!IsPostBack)

        {

            // Set Anti-XSRF token

            ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;

            ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;

        }

        else

        {

            // Validate the Anti-XSRF token

            if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue

                || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))

            {

                throw new InvalidOperationException("Validation of Anti-XSRF token failed.");

            }

        }

    }

and my page load looks like:

 

protected void Page_Load(object sender, EventArgs e)

    {

 

        if (!HttpContext.Current.User.Identity.IsAuthenticated)

        {

            //Redirect to Default page

            Response.Redirect("~/Account/Login");

        }

 

        if (!IsPostBack)

        {

           ....

        }

    }



Kamlakar Singh
Kamlakar Singh

Total Post:194

Points:1396
Posted on    November-26-2014 12:13 AM

Comment this AutoRedirectMode in routeconfig of app_start folder.

// settings.AutoRedirectMode = RedirectMode.Permanent;


Don't want to miss updates? Please click the below button!

Follow MindStick