Geek Answers Handbook

Cookie Session / Authentication Alternative

Is there an alternative to the session function plugin in servicestack? In some scenarios, I cannot use cookies to match an authorized session in my service implementation. Is it possible to allow a session using a token in the HTTP request header? What is the preferred solution for this if the browser blocks cookies?

+7
source share
2 answers

I use ServiceStack without the built-in auth and session services.

I use the attribute as a request filter to collect user information (id and token), either from a cookie or request header or string parameter. You can provide this information after a user logs in. You add a new cookie in response and enter information about the identifier and token on the client side when rendering the view, so you can use http headers and request parameters for links.

public class AuthenticationAttribute : Attribute, IHasRequestFilter { public void RequestFilter(IHttpRequest request, IHttpResponse response, object dto) { var userAuth = new UserAuth { }; if(!string.IsNullOrWhiteSpace(request.GetCookieValue("auth")) { userAuth = (UserAuth)request.GetCookieValue("auth"); } else if (!string.IsNullOrEmpty(request.Headers.Get("auth-key")) && !string.IsNullOrEmpty(request.Headers.Get("auth-id"))) { userAuth.Id = request.Headers.Get("id"); userAuth.Token = request.Headers.Get("token"); } authenticationService.Authenticate(userAuth.Id, userAuth.token); } public IHasRequestFilter Copy() { return new AuthenticationAttribute(); } public int Priority { get { return -3; } } // negative are executed before global requests }

If the user is not logged in, I am redirecting him at this moment.

My project supports SPA. If the user uses the API using xmlhttprequests, the authentication material is executed with headers. I add this information about AngularJS when the page loads and reuse it for all requests (partial views, api consumption, etc.). ServiceStack is a powerful tool for this type of thing, you can easily configure the AngularJS application and the ServiceStack viewer to work side by side, check all requests, globalize your application, etc.

If you do not have cookies and javascript is not called, you can support authentication without cookies if you always generate links that pass the identifier and token as request parameters and pass them through a hidden form input, for example.

+7
source

@Guilherme Cardoso: In my current solution, I am using PreRequestFilters and a built-in session function.

My workflow / workaround is as follows:

When the user gets permission, I took the cookie and send it to the client using the HTTP header. Now the client can call the services if the cookie is set in the http-header (authorization) of the request.

To do this, I redirect the fake authorization header to the request cookie using PreRequestFilter. Now I can use the session function. It feels like a hack, but it works at the moment; -)

 public class CookieRestoreFromAuthorizationHeaderPlugin : IPlugin { public void Register(IAppHost appHost) { appHost.PreRequestFilters.Add((req, res) => { var cookieValue = req.GetCookieValue("ss-id"); if(!string.IsNullOrEmpty(cookieValue)) return; var authorizationHeader = req.Headers.Get("Authorization"); if (!string.IsNullOrEmpty(authorizationHeader) && authorizationHeader.ToLower().StartsWith("basictoken ")) { var cookie = Encoding.UTF8.GetString(Convert.FromBase64String(authorizationHeader.Split(' ').Last())); req.Cookies.Add("ss-id",new Cookie("ss-id",cookie)); req.Items.Add("ss-id",cookie); } }); } }
+4
source

More articles:


All Articles