ASP.NET Membership - Is authenticated user lost when you call a WebService in the same WebApp

Question

I am using the ASP.NET Login Control for authentication.

I have some users and they are able to login successfully. When authenticated I redirect to a page helloworld.aspx. In the Page_Load method I first make a call to Membership.GetUser(). This returns the authenticated user properly. I then make a call to a simple WCF web service that resides in the same WebApplication. The first line of my WebService call's the same Membership.GetUser(). This time though it returns NULL.

Any thoughts?

Thanks, Justin

Here is some code snippets

JustinPage.aspx

public partial class JustinPage : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        MembershipUser user = Membership.GetUser();
        // user is a valid user

        JustinService.JustinTestServiceClient justin = new CMS.WEB.JustinService.JustinTestServiceClient();
        justin.DoWork();
    }
}

JustinTestService.svc.cs

[ServiceContract(Namespace = "")]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class JustinTestService
{
    [OperationContract]
    public void DoWork()
    {
        MembershipUser user = Membership.GetUser();
        // user is NULL ???  Why?
        return;
    }
}

As mentioned earlier the Service source code is in the Same WebApplication as Justin.aspx as you can see by the endpoint (note my app is fixed on port 19003)...

endpoint address="http://localhost:19003/Services/JustinTestService.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_JustinTestService" contract="JustinService.JustinTestService" name="BasicHttpBinding_JustinTestService" /

Also the binding looks like this...

<binding name="BasicHttpBinding_JustinTestService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="None"> </security> </binding>

Maybe it has something to do with the <security mode="None"> ???

Answer 1

The problem is that the web service call is not originating from the browser, where the user authenticated. Instead, you are originating the web service call from your application (your web server is creating an HTTP request to your web server!).

Answer 2

Get fiddler and see if the the authentication cookie is being sent across the wire.

If it isn't you might need to bundle it up in your request to the service.

Something like this

Service1Client ws = new Service1Client(); // Name of webclient proxy
            using (OperationContextScope scope = new OperationContextScope(ws.InnerChannel))
            {
                HttpRequestMessageProperty httpRequest = new HttpRequestMessageProperty();
                OperationContext.Current.OutgoingMessageProperties.Add(HttpRequestMessageProperty.Name, httpRequest);

                HttpCookieCollection cc = Page.Request.Cookies;
                if (Request.Cookies[".ASPXAUTH"] != null)
                {
                    HttpCookie aCookie = Request.Cookies[".ASPXAUTH"];
                    String authcookieValue = Server.HtmlEncode(aCookie.Value);
                    httpRequest.Headers.Add("Cookie: " + ".ASPXAUTH=" + authcookieValue);
                }

                // Make call to webservice here
                ws.MyWCFCall();

                HttpResponseMessageProperty response = (HttpResponseMessageProperty)OperationContext.Current.IncomingMessageProperties[HttpResponseMessageProperty.Name];
            }