Last post Oct 06, 2015 10:18 AM by BrockAllen
Oct 05, 2015 10:59 AM|seamus1982|LINK
I have a Web API application. This issues bearer tokens for authorization. However, I want to send the client a cookie so this can be used for authorization. How do I send the client a bearer token and a cookie for authorization in one request? So for AJAX
calls I can include the bearer token and postbacks it sends the cookie.
Any help would be really appreciated.
Oct 05, 2015 02:39 PM|BrockAllen|LINK
Oct 05, 2015 03:11 PM|seamus1982|LINK
Thanks for getting back to me. I need bearer tokens, because I will be developing mobile apps as well. Can I have a cookie that works for both the MVC application and the web api?
Oct 05, 2015 04:03 PM|BrockAllen|LINK
In theory you could. But the cookie client needs to solve the XSRF problem and using bearer tokens solves the problem. So only using bearer tokens allows for both client types and means your APIs only have t have one way to authenticate the caller.
Oct 06, 2015 03:54 AM|seamus1982|LINK
Thanks again for getting back to me. So if I use bearer tokens how do I send them in a postback from the application. I need to insert them into the header, is there any way to do this?
Oct 06, 2015 10:18 AM|BrockAllen|LINK
Bearer tokens are for Ajax calls, so you would set them in the Authorization HTTP header. For normal POST backs from a HTML page then you'd use a cookie (with an AntiXSRF field as well).