Menu
I'm building an API with WebAPI that will accept authentication information over SSL via HTTPS from the web browser client. The web browser uses forms authentication and requires HTTPS so it can securely sent username/password to the API endpoint. My API uses Websecurity.Login() and Websecurity.Logout() to handle authentication for the web client.
How would this get handled in a WP8 application / Universal app built with WinJS? Can I do the same thing - send login / registration credentials over HTTPS and use Websecurity to handle forms auth?
Here's how my WebAPI is currently set up for auth:
public HttpResponseMessage LogIn(LoginModel model)
{
if (ModelState.IsValid)
{
if (User.Identity.IsAuthenticated)
{
return Request.CreateResponse(HttpStatusCode.Conflict, "already logged in.");
}
if (WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return Request.CreateResponse(HttpStatusCode.OK, "logged in successfully");
}
else
{
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
// If we got this far, something failed
return new HttpResponseMessage(HttpStatusCode.InternalServerError);
}
public HttpResponseMessage LogOut()
{
if (User.Identity.IsAuthenticated)
{
WebSecurity.Logout();
return Request.CreateResponse(HttpStatusCode.OK, "logged out successfully.");
}
return Request.CreateResponse(HttpStatusCode.Conflict, "already done.");
}
Is this approach compatible with WP8 or other native mobile app development authentication?
970
Your Windows Phone 8.1 device should continue to work after July 11, 2017, but there will be no updates after July 11, 2017 (including security updates) and device backup functionality and other backend services will be phased out as described above.
In order to develop the apps for Windows Phone, you must install the Windows Phone SDK. Using SDK developers can build native apps for Windows Phone. Windows Phone SDK comes with following main tools: Visual Studio Express Edition for Windows Phone (VS version depends on SDK version)
Given the nature of the windows phone OS and the way it restricts applications, documents and related items access to its core software features and functionality, it is highly unlikely that your phone has been hacked.
Windows Phone (WP) is a discontinued family of mobile operating systems developed by Microsoft for smartphones as the replacement successor to Windows Mobile and Zune.
The Windows Phone SDK 8.0 is a full-featured development environment to use for building apps and games for Windows Phone 8.0 and Windows Phone 7.5. The Windows Phone SDK provides a stand-alone Visual Studio Express 2012 edition for Windows Phone or works as an add-in to Visual Studio 2012 Professional, Premium or Ultimate editions.
This forum is for all of your questions about the Windows Phone 8 Development and Hacking. If you need help troubleshooting a problem, please be as specific as possible by describing your software configuration, including the ROM, kernel, and any modifications you've done. Unbrick your dead-boot lumia... WITHOUT JTAG! Windows 10 Mobile Installer!
The Windows Phone 8.1 Update Emulators package adds additional emulator images to an existing installation of Visual Studio 2015 or Visual Studio 2013 Update 2 or later. With this update installed, you can create and test apps that will run on devices that have Windows Phone 8.1 Update. Note: There are multiple files available for this download.
The Windows Phone Software Development Kit (SDK) 8.0 provides you with the tools that you need to develop apps and games for Windows Phone 8 and Windows Phone 7.5. Note: There are multiple files available for this download.
It would definitely work, assuming that consecutive requests carry the cookie that is appended to the very first request to the Login action.
In case of a browser app that uses ajax this works out of the box as consecutive ajax requests carry all cookies issued by the same domain and appended in the current browser session.
In case of a native application this could be tricker because it means that the same client proxy instance would have to be used or you find a way to have a temporary local storage for authentication cookies and append these cookies to every request.
However, there is a potential drawback of this request: you assume that the login method can use the login/password in an active scenario to produce forms cookie. And this isn't always as simple as that.
This is because your site can potentially be federated with an external identity provider (ADFS, Azure Active Directory, Google, Facebook, whatever) so that the actual authentication takes place in another website and your website only gets the response that conforms to the single sign on protocol used (OAuth2, WS-Federation).
In such case, there is really no easy way to use the pair login/password at the server side to get the identity of the user.
A workaround in such case, where the identity provider is unknown, is to host the webbrowser control (if possible) and let it perform the passive authentication scenario - which means that you navigate to the application page and let the web browser control automatically 302 to the login page, no matter how many redirects it takes. Then, user provides credentials at the provider page and the web browser redirects all the way back to your application and this is where you catch the identity at the server side, close the web browser control and somehow (depending on the actual web browser host) read the authentication cookie so that you can attach it to further requests.
Sounds tricky, but we have found some federation scenarios where actual SSO protocols between parties were not guaranteed and such simulation of the passive scenario from within the hosted web browser was the only reliable way.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
