Write a login mechanism

Question

1.00/5 (1 vote)

See more:

Hello,

I want to create a login mechanism for my web platform that I'm building. It's .net 6 (cshtml pages).

My login page uses a js-file with control handlers and Ajax calls. The login page (and the other UI) are hosted with the https protocol.

The Ajax calls go to a web api (https).

At the moment I host it locally on IIS10 (windows 10). I use 2 different domains.

My thought:
- I put the credentials in a cookie (at the moment not yet encrypted)
- Via an Ajax call I have to send this cookie to the server
- In the login controller I can verify if the username/password is correct
- If it's correct I can create a token to send back to the client that it can use for further calls until the end of the session.

Which is safer, putting the credentials in a cookie? Or as parameters of the Ajax request?

I also read that using jsonp could be the solution but its older and unsafer than json, right?

I think I need to set extra response headers in the login controller to let the controller 'pick up' the cookie.

Now the debugger comes in the code but the length of the cookies in the request is 0.

Or are there 2 calls needed?

What I have tried:

Client
...
var sURL = "https://bbb.api/Login/SetUserVariables";
var sMethod = "POST";
var sDataType = "json";

document.cookie = `username=${gebruikersnaam};Path=/;Secure;SameSite=None;Domain=aaa.local;`
document.cookie = `password=${password};Path=/;Secure;SameSite=None;Domain=aaa.local;`

return $.ajax({
url: sURL,
method: sMethod,
dataType: sDataType,
xhrFields: { withCredentials: true },
crossDomain:true,
async: true
});
...

Server
...
string sUsername = Request.Cookies["username"];
string sPassword = Request.Cookies["password"];

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Origin", new StringValues("https://aaa.local:443")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Credentials", new StringValues("true")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Methods", new StringValues("POST")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Headers", new StringValues("Content-Type, *")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Domain", new StringValues("aaa.local")));
...

Posted 30-Dec-21 22:50pm

Hendrik Debedts

Updated 19-Jan-22 20:21pm

v2

Add a Solution

Comments

[no name] 1-Jan-22 14:25pm

Just Google it.

https://www.webucator.com/article/how-to-create-a-login-form-with-ajax/

Hendrik Debedts 20-Jan-22 2:26am

The browser doesn’t give an error anymore on CORS. But the cookie in my response is still empty.

I also find that with ‘ withCredentials: true’ is not needed. The IIS user is used instead of the typed username.

Richard Deeming 20-Jan-22 4:03am

Storing the user's credentials in cookies is a massive security breach waiting to happen. Hope you've got deep pockets - the GDPR fines can run into the millions!

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)