locked
How to pass jwt from one webpage to another RRS feed

  • Question

  • User-29703693 posted

    I have a web forms website (say, site1.com) that creates a JWT and does a Response.Redirect("https://site2.com?jwt=the_jwt_token")     Site2 then grabs the JWT via Request.Query["jwt"] and validates the token (which expires after 20 seconds).  This works great, and is quite simple.  However based on what I've read it's not the best practice to send JWT through the query string.  Are there any simple alternatives where I could pass the jwt from site1 to site2 through headers or post?

    Sunday, November 29, 2020 3:16 AM

All replies

  • User1535942433 posted

    Hi bank5,

    Accroding to description,I suggest you could use Web Storage(Local Storage , Session Storage).Retrieve token from cookie/web storage in another site.

    More details,you could refer to below article:

    https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

    https://stackoverflow.com/questions/33723033/single-sign-on-flow-using-jwt-for-cross-domain-authentication

    Best regards,

    Yijing Sun

    Monday, November 30, 2020 9:09 AM
  • User-29703693 posted

    Thanks yij sun.  I don't believe I can use Web Storage, because "site2.com" cannot access a cookie or session variable that was set on site1.com.  The stackoverlow flow may be more complex than what I need to do but I'll read through and reference it.

    One thing I could do is set a form up on site1.com like this:

    <body onload='document.forms["form"].submit()'>
        <form name='form' action='https://site2.com/LogIn' method='post'>
            <input type='hidden' name='jwt' value='@Model.jwt'>
        </form>
    </body>

    That would submit the jwt via post instead of through the querystring.  However, I would have to turn off the antiforgerytoken - [IgnoreAntiforgeryToken(Order = 1001)] in order for site2.com to receive post data from site1.com.  I'll need to look into if that's ok for this situation

    Monday, November 30, 2020 4:29 PM
  • User1535942433 posted

    Hi bank5,

    Accroding to your description,if you wish to disable the validation of the application,you could use [IgnoreAntiforgeryToken(Order = 1001)].

    Best regards,

    Yijing Sun

    Wednesday, December 2, 2020 7:31 AM