User-225121172 posted
So, I have a website (lets called it MySite). And we have implemented it primarily using .NET. Recently angular JS was introduced and we have created aspx pages that consumes the angular JS libraries.
Recently there was a requirement wherein we had to develop a login module on a virtual directory (lets call this MyVirtualDirectory) within the web site. Please note that the website already uses a login method (which is handled via button click event handler
in .NET). The idea was, upon entering the username and password on the MyVirtualDirectory login module, to call the existing authenticate login method (that is currently consumed by the website). So, for this, we wrote a web method and we are calling the login
method from within this web method. And this web method is invoked from the angular code. Everything works as expected and the login web method returns a true or false
Although functionally things work as expected, I am not too happy about the security aspects. One of the security constraints was, the web method that we wrote should be invoked only from within the web site. We thought about couple of options
-
One was to have a cookie on the load of the virtual directory home page. And when the web method is invoked, check for this cookie. Obviously, this has its own set of issues because the cookie could be set by anyone
-
The next was to have a session variable on the page load of the virtual directory home page. And check for this session variable when the web method is invoked. This was more secure than the first option, but still i felt it was slightly vulnerable
Any other thoughts/ consideration - To summarize, my question is, how to securely invoke a web method and ensure that the call is made only from within the website?
Thanks in advance
