jquery together with asp.net and authentication

Question

I'm using jquery to access a asp.net web service from my website. This web service needs to get the userid of the user that access it and the user is logged in with asp.net authentication on my website.

In asp.net I can just write "User.Identity.Name" to get the userid, now I need to find a way of getting this on the client side, how is that possible?

My code for accessing the web service:

$.ajax({
    type: "GET",
    url: "http://domain.com/Service.svc/search?keyword=" + this.value + "&userid=" + HERE I NEED THE USERID,
    dataType: "json"
    .....
});

One way would be to put the userid in a hidden field or something and access it that way, could that be the way to go?

Answer 1

Assuming this all on a trusted internal network (e.g. a company?), then the jQuery call will be offering the user's credentials to the web service in the same way it does to your web site. Can the web service just check who is authenticated on the call (using User.Identity.Name for example) ?

This approach would be far preferable to providing the username on the querystring ( or as an argument to the web service call), as either of these would be easily subvertible.

Answer 2

$.ajax({
    type: "GET",
    url: "http://domain.com/Service.svc/search?keyword=" 
            + this.value + "&userid=<%= User.Identity.Name %>",
    dataType: "json"
    .....
});

Would do it, but are you sure you need to? If this is not a cross domain call, the request should come from the authenticated user session, and so in your service you can extract that information in the code behind.

As Rob points out, this can easily be modified by someone, so you'd probably actually want to use something else, for example encrypting the user name using a salt and key that you know at both ends.