Click here to Skip to main content
15,798,066 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)

I want to create a login mechanism for my web platform that I'm building. It's .net 6 (cshtml pages).

My login page uses a js-file with control handlers and Ajax calls. The login page (and the other UI) are hosted with the https protocol.

The Ajax calls go to a web api (https).

At the moment I host it locally on IIS10 (windows 10). I use 2 different domains.

My thought:
- I put the credentials in a cookie (at the moment not yet encrypted)
- Via an Ajax call I have to send this cookie to the server
- In the login controller I can verify if the username/password is correct
- If it's correct I can create a token to send back to the client that it can use for further calls until the end of the session.

Which is safer, putting the credentials in a cookie? Or as parameters of the Ajax request?

I also read that using jsonp could be the solution but its older and unsafer than json, right?

I think I need to set extra response headers in the login controller to let the controller 'pick up' the cookie.

Now the debugger comes in the code but the length of the cookies in the request is 0.

Or are there 2 calls needed?

What I have tried:

var sURL = "https://bbb.api/Login/SetUserVariables";
var sMethod = "POST";
var sDataType = "json";

document.cookie = `username=${gebruikersnaam};Path=/;Secure;SameSite=None;Domain=aaa.local;`
document.cookie = `password=${password};Path=/;Secure;SameSite=None;Domain=aaa.local;`

return $.ajax({
url: sURL,
method: sMethod,
dataType: sDataType,
xhrFields: { withCredentials: true },
async: true

string sUsername = Request.Cookies["username"];
string sPassword = Request.Cookies["password"];

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Origin", new StringValues("https://aaa.local:443")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Credentials", new StringValues("true")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Methods", new StringValues("POST")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Access-Control-Allow-Headers", new StringValues("Content-Type, *")));

Response.Headers.Add(new KeyValuePair<string, stringvalues="">("Domain", new StringValues("aaa.local")));
Updated 19-Jan-22 21:21pm
Gerry Schmitz 1-Jan-22 14:25pm    
Just Google it.
Hendrik Debedts 20-Jan-22 2:26am    
The browser doesn’t give an error anymore on CORS. But the cookie in my response is still empty.

I also find that with ‘ withCredentials: true’ is not needed. The IIS user is used instead of the typed username.
Richard Deeming 20-Jan-22 4:03am    
Storing the user's credentials in cookies is a massive security breach waiting to happen. Hope you've got deep pockets - the GDPR fines can run into the millions!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900