I am attempting to log user activity for a couple internal websites as well as our SharePoint sites. I use JavaScript to make a call (GET) to an ashx page (HTTPHandler) that returns a 1x1 invisible GIF. The HTTPHandler grabs the referring URL, browser info, ip address, the action (sent as a QueryString), and (the part I'm strugging with) the username. The username is gathered using context.User.Identity in the HTTPHandler and 'Integrated Windows Authentication' is enabled in IIS 6. Here is the logging portion of the js:
logAction: function(action) {
try {
var i = new Image(1, 1);
i.src = "http://intranet/tracker/urchin.ashx?action=" + action;
} catch (e) {
//alert(e);
}
Using jQuery, I added handlers to button clicks, link clicks, and 'unload' that call the ashx file and pass the action performed. (It is also called on page load).
All of this was working perfectly, or so I thought... It turned out that I was missing the initial page load event the first time the user opened one of the pages if it was not on the same domain as the HTTPHandler. Using Fiddler I could see the NTLM cycle for the page (401.2, 401.1, 200) but only a 401.2 for the ashx. It appears that the browser will not send the user credentials when the call to the HTTPHandler is cross-domain. The next page the user visits gets logged correctly, but that first page is not logged.
Here are our domains:
- http://intranet
- http://sharepoint
- http://dev <-- The HTTPHandler for tracking lives here
Is there something wrong with my design, or is this simply web browser security? Thanks!