Forms authentication, ASP.NET MVC and WCF RESTful service

Question

One test webserver, with the following applications

service.ganymedes.com:8008 - WCF RESTful service, basically the FormsAuth sample from WCF Starter Kit Preview 2

mvc.ganymedes.com:8008 - ASP.NET MVC 2.0 application

web.config for service.ganymedes.com:

<authentication mode="Forms">
    <forms loginUrl="~/login.aspx" timeout="2880" domain="ganymedes.com" name="GANYMEDES_COOKIE" path="/" />
</authentication>

web.config for mvc.ganymedes.com:

<authentication mode="Forms">
    <forms loginUrl="~/Account/LogOn" timeout="2880" domain="ganymedes.com" name="GANYMEDES_COOKIE" path="/" />
</authentication>

Trying my darndest, a GET (or POST for that matter) via jQuery's $.ajax or getJson does not send my cookie (according to Firebug), so I get HTTP 302 returned from the WCF service:

Request Headers
Host               service.ganymedes.com:8008
User-Agent       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Accept           application/json, text/javascript, */*
Accept-Language    en-us,en;q=0.5
Accept-Encoding    gzip,deflate
Accept-Charset     ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive       300
Connection       keep-alive
Referer         http://mvc.ganymedes.com:8008/Test
Origin           http://mvc.ganymedes.com:8008

It's sent when mucking about on the MVC site though:

Request Headers
Host               mvc.ganymedes.com:8008
User-Agent       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Accept           text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset   ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive       300
Connection       keep-alive
Referer         http://mvc.ganymedes.com:8008/Test
Cookie           GANYMEDES_COOKIE=0106A4A666C8C615FBFA9811E9A6C5219C277D625C04E54122D881A601CD0E00C10AF481CB21FAED544FAF4E9B50C59CDE2385644BBF01DDD4F211FE7EE8FAC2; GANYMEDES_COOKIE=D6569887B7C5B67EFE09079DD59A07A98311D7879817C382D79947AE62B5508008C2B2D2112DCFCE5B8D4C61D45A109E61BBA637FD30315C2D8353E8DDFD4309

I also put the exact same settings in both applications' web.config files (self-generated validationKey and decryptionKey).

On WCF binding config, the FormsAuth example doesn't have an explicit <bindings> element, but I've added this:

<system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true">
        <baseAddressPrefixFilters>
            <add prefix="http://service.ganymedes.com:8008" />
        </baseAddressPrefixFilters>
    </serviceHostingEnvironment>    
</system.serviceModel>

or the service wouldn't bind at all. I can use the same data URI as I use in the jQuery call directly in the browser, it'll send the cookie and WCF will return data. I just can't seem to use it in a cross sub-domain call and include the auth cookie.

Answer 1

OK, I guess this is a known limitation due to security (Same Origin Policy). I knew about cross-domain blocks, but I thought it'd be okay for subdomains.

I spent about 2 weeks researching WCF and REST (and using MVC as a RESTful webservice as well) always with an AJAX-aware mindset and this never came up before proof-of-concept implementation time. Go figure.

Apparently Basic authentication won't work across subdomains via AJAX either. JSONP will work with forms authentication/cookies, it seems, but won't work with Basic authentication (I don't want to limit myself to HTTP GET anyway...). Changing document.domain didn't do squat for me.

I guess I have to put everything on the same domain after all, or manually send authentication info as request parameters for every call but both of those solutions feel like crappy workarounds (and it sure isn't more secure either). Oh well.

I feel kind of stupid now.