0

I am experimenting in developing Single Page Application using Asp Mvc 4 / Web Api and angularjs.

I am using the mvc controller actions to return views and web api actions to return json.

As the web api part is restfull and it has no state, I am wondering how to check if a user session has expired. For example: a user is clicking on a button and this leads to request to the web api action to get some json data. But when the request hits the server I want to check if the user session has expired.

As I said I am rather new to this combination of technologies and I am wondering how can this be achieved. Any example will be greatly appreciated. Thanks in advance.

Mdb
  • 8,338
  • 22
  • 63
  • 98
  • http://stackoverflow.com/questions/9594229/accessing-session-using-asp-net-web-api and http://stackoverflow.com/questions/11478244/asp-net-web-api-session-or-something – malkam Jun 01 '14 at 13:23

2 Answers2

0

Web API introduced an Attribute [Authorize] to provide security. This can be set globally (global.asx)

public static void Register(HttpConfiguration config)
{
    config.Filters.Add(new AuthorizeAttribute());
}

Or per controller:

[Authorize]
public class ValuesController : ApiController{
...

If your user is authenticated(session has not expired) the service will work normally if not an http 401 unauthorized is returned.

Dalorzo
  • 19,834
  • 7
  • 55
  • 102
0

This is how I did it in my project: First instantiate a session on client sidei.e in your MVC Application if the user logs in , once the session is created,with each request you should add a unique identifyable token or session id in the header of your WebApi request which you are going to send, If the user sends a request without logging in there would be no token present in the header of the request. If in your service you get an authentication token which you can verify, that means the request is authenticated and hence session was still in place otherwise the user sent the request without a session in place and hence no token present in the header of the request.

You could add headers with your request like this :

HttpClient httpClient = new HttpClient();

// Add a new Request Message
HttpRequestMessage requestMessage = new HttpRequestMessage(...);

// Add your custom headers
requestMessage.Headers.Add("authToken", "SessionId");
or
requestMessage.Headers.Add("authToken", "encryptedUsername:encryptedPassword");

And then in your WebApi Service read those headers, if you can uniquely identify or verify the authToken then that means the session was in place else unauthenticated request , generate an error response.

I dont know if this is the best practise or not but I did it this way. I actually store the encrypted username & password in my session and attach it with every request and in my WebApi I extract these header values and recheck them with my database and then further process the request. I know many people would not be too much happy about storing passwords in the session but I think its not that bad, they are in encrypted form atleast. Rest is upto you , you could store a sessionId instead or a unique identifier or a flag that may indicate that the session was actually in place and request is authenticated.

zeppelin
  • 451
  • 1
  • 4
  • 24
  • Take a look at [How to secure a WebAPi](http://stackoverflow.com/a/21634723/1959948) – Dalorzo Jun 01 '14 at 15:22
  • Yes in my WebApi I have a [CustomAuthorize] attribute like that where I extract the header and check it from database. – zeppelin Jun 01 '14 at 15:24