Making secure ajax calls RRS feed

  • Question

  • User310927902 posted
    I have an asp.net core 2 mvc app that uses AD auth for which i need to add some client side ajax calls. I plan to add a controller for the api however i have not found any info on making the client side js calls utilize the existing authenticated session? Id be grateful for any pointers on where to find info or docs on this.
    Saturday, April 28, 2018 3:47 PM


All replies

  • User1163516801 posted

    Generally speaking, usually the authenticated session is stored in server side, which client side cannot achieve the data.

    I don't know which authenticated method or service you are using, assume you are using the basic autehticated on your server (username & password), to achieve this scenario, you can try to implement the following steps:

    1. make a login api in your controller, and return a token (simplest a string of username, password paris like "md5(username:password)").
    2. Make a ajax call against to this login api, and store the token in your client storage or runtime memory.
    3. Set this token as authentication header in your all secure ajax calls, like
      var settings = {
        "async": true,
        "crossDomain": true,
        "url": "http://localhost/secureapi",
        "method": "GET",
        "headers": {
          "authorization": "<username:password-token>",
      $.ajax(settings).done(function (response) {
    4.  Make a middleware to authenticate the token in your server.
      public async Task Invoke(HttpContext context)
          var authHeader = context.Request.Headers.Get("Authorization");
          if (authHeader != null)
              //Authenticate logic code
              context.Response.StatusCode = 401;
          await _next(context);

    <audio controls="controls" style="display: none;"></audio>

    Monday, April 30, 2018 7:07 AM
  • User310927902 posted

    Hi Gary,
    I am using Active Directory based Windows Authentication. For the controllers which require authorization, I use the Authorize attribute with a Roles declaration, hence my ambiguity over how to integrate the ajax calls into the users session.


    Monday, April 30, 2018 5:36 PM
  • User1163516801 posted

    If your application is on local domain. You can refer to the existing answer at https://forums.asp.net/t/2131082.aspx?JS+Fetch+API+with+Windows+AD+Authenticated+Web+Api for whether can quick help you. 

    Any further cancern, please feel free to let me know. 

    <audio controls="controls" style="display: none;" src="http://dict.youdao.com/dictvoice?audio=on&type=1"></audio>

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 2, 2018 2:34 AM
  • User310927902 posted

    Hey Gary,
    So it it turned out to be simpler than I thought. Using the same Authorize attributes and adding a withCredentials field set to true to the xhrFields parameter works. The api methods respond appropriately to the required roles.


    Wednesday, May 2, 2018 11:11 PM