0

I'm sending AJAX form from page in http scheme to https url (the domain, and the appliaction is the same). I use MVC 3 Ajax helper:

@using (Ajax.BeginForm(MVC.Payment.Confirm(), new AjaxOptions
{
    HttpMethod = "Post",
    UpdateTargetId = "myId",
    InsertionMode = InsertionMode.Replace,
    OnBegin = "$('#popupAjaxLoader').show();",
    OnSuccess = "$('#popupAjaxLoader').hide();",
    Url = "https://same.domain/payment/confirm"
}, new { @action = "https://same.domain.com/payment/confirm" }))
{   
...
}

In the application I use forms authentication:

   <forms loginUrl="~/Account/LogOn" timeout="2880" name="MYCOOKIENAME" />

In firebug I can see that the authentication cookie is not sent to the server when submiting the form, so the handler fails (the request need to be authorized). How can I force Ajax.BegiForm to attach authentication cookie?

UPDATE:

It turned out that the solution given by counsellorben works if there is no need to receive any information back from the ajax request. Sending Ajax POST from HTTP to HTTPS works fine (cookies are not attached, so you have to POST all neccessary data as hidden form fields), but the server response is not accessible for javascript because of Same Origin Policy. Eventually I had to abandon Ajax and place the form inside iframe referencing HTTPS url which seems to be the ultimate solution for this problem.

PanJanek
  • 6,593
  • 2
  • 34
  • 41

1 Answers1

2

Your problem is that this violates the Same Origin Policy. See the response to this question: Same origin policy with same domain, but https.

UPDATE

If it is not possible to make the entire portal use HTTPS, then the alternative is to use a different authentication scheme for your AJAX form submission.

I would suggest creating a GUID token for the AJAX form, storing the GUID in your repository along with (1) its creation time and (2) the ID of the user to which the GUID was assigned. Then pass the GUID in a hidden field on your AJAX form.

Remove the [Authorize] attribute from the action being called via the AJAX form, and instead check in your action that a GUID is passed, the GUID is valid, and it has not expired (setting an expiration time of 20 minutes, or whatever is valid under these circumstances). Use the GUID token to identify your user, and proceed as necessary.

Also, you should have some method to purge expired GUID tokens.

This should provide adequate security, since the GUID token is issued to an authorized user, and identifies the user submitting the AJAX form. It also permits you to use HTTPS only for the AJAX form submission, since you are no longer relying on the authentication cookie being passed.

Community
  • 1
  • 1
counsellorben
  • 10,924
  • 3
  • 40
  • 38
  • Ok, but is there any workaround? I need this ajax POST request to be secure because it contains sensitive data entered into the form, but the page from which the ajax script is executed is a regular page - switching it to https would require the whole portal to work in HTTPS, which is not something I would like. – PanJanek Nov 23 '11 at 17:54
  • At the time you were editing your response I started coding almost identical solution - implementing own authorization without relying on forms authentication cookie. It seems to be the neatest solution. Thanks! – PanJanek Nov 23 '11 at 18:37