Access ASP.NET authentication ticket on Client (via javascript)

Question

Hi all,

I have an ASP.NET website that uses Forms authentication

    <authentication mode="Forms">
        <forms name="NewsCoreAuthentication" loginUrl="~/Default.aspx" defaultUrl="~/Default.aspx" protection="Validation" timeout="300" domain="someRootDomain.com" />
    </authentication>

I need to identify if user is authenticated on web page after it was rendered to client. To accomplish this I thought that I can read document.cookie and check if ".ASPXAUTH" is there. But the problem is that even if I am signed in this value is empty.

How can I check that user is authenticated? Why document.cookie is empty?

---

Thank you for answers. blowdart helped me to understand why authentication ticket is not accessible from client script.

Answer 1

Number one... this is a bad idea. There is absolutely no security in checking if a user is authorized on the client side. None.

But if you really want to do this... do the check in code behind, and push a value to the client that can be read via Javascript. Something akin to:

RegisterClientScript("isvalidated", "var isUserAuthenticated = " + UserAuthenticated);

You see the problem now? You could do the same thing in AJAX... but it has the same problem.

OK, I can see doing this as a simple convenience for the user... showing certain links if they are authorized for instance. But it is not secure in any way shape or form. Just do yourself a favor and handle this in code-behind.

Answer 2

The reason it's blank is because the cookie is protected by being marked as HttpOnly. This means it cannot be accessed via script. Turning this off is a very very bad idea, as XSS vulnerabilities in your site could expose it to cookie theft, so I'm not going to tell you how you can do it.

Answer 3

As others have said, the auth ticket is and SHOULD be httponly.

The best way to do this is to use ApplicationServices. The JSON authentication endpoint exposes IsLoggedIn and I have noticed your concern regarding server load. The overhead of a call to a static endpoint that simply checks the cookie for you is negligible. Really.

So, If you are using MsAjax, just enable application services and call Sys.Services.AuthenticationService.IsLoggedIn.

If you want to do this from raw javascript here is the codez ;-)

Add this segment to you config file

  <system.web>
     ------------
  </system.web>
  <system.web.extensions>
    <scripting>
      <webServices>
        <authenticationService enabled ="true" requireSSL="false"/>
      </webServices>
    </scripting>
  </system.web.extensions>

The page....

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml"&gt;
<head>
    <title></title>

    <script type="text/javascript">
        function createXHR() {
            // a memoizing XMLHttpRequest factory.
            var xhr;
            var factories = [
                    function() { return new XMLHttpRequest(); },
                    function() { return new ActiveXObject("Msxml2.XMLHTTP"); },
                    function() { return new ActiveXObject("Msxml3.XMLHTTP"); },
                    function() { return new ActiveXObject("Microsoft.XMLHTTP"); } ];
            for (var i = 0; i < factories.length; i++) {
                try {
                    xhr = factories[i]();
                    // memoize the factory so we don't have to look for it again.
                    createXHR = factories[i];
                    return xhr;
                } catch (e) { }
            }
        }

        function isLoggedIn() {
            var xhr = createXHR();
            xhr.open("POST", "/Authentication_JSON_AppService.axd/IsLoggedIn", true);
            xhr.onreadystatechange = function() {
                if (this.readyState === 4) {
                    if (this.status != 200) {
                        alert(xhr.statusText);
                    } else {
                        alert("IsLoggedIn = " + xhr.responseText);
                    }
                    xhr = null;
                }
            };
            xhr.setRequestHeader("content-type", "application/json");
            xhr.send(null);
        }
    </script>

</head>
<body>
    <input type="button" value="IsLoggedIn?" onclick="isLoggedIn()" />
</body>
</html>