How do I properly secure calls/layers in the javascript API using the token service

DanielPritchett · ‎07-08-2014

Currently I'm working on an implementation where my web application (asp.net stack) communicates with an internal C# asmx web service which acts as a proxy to retrieve the key from the token service, store it in session, and pass it back as a cookie/json to the requesting client. There is also logic in there to ensure they get back a token with integrity.

My problem is I am looking for a way to ensure that the cookie is safe. I have the cookie set to HttpOnly and Secure. The problem is of course I can't access the cookie via the javascript api. Also due to security requirements appending the token to the url is not an option. So I removed that and then just did the standard:

var token = {
  "server": "<internal domain hosting arcgis server>/arcgis/rest",
  "userId": "<username>",
  "token": result.d.Token,
  "ssl": false,
  "expires": result.d.Expires
};           
kernel.id.registerToken(token);

But when after I add the layers and initialize everything, the map is blank and when I try to forward or reverse geocode I get the error "Uncaught TypeError: Cannot read property 'wkid' of undefined"

Is there a better way of using the token to secure calls and layers made in javascript.

DaveTimmins · ‎07-08-2014

If you want to use the Esri way then you can look at using the IdentityManager which will manage the token for you.

If you want to do it yourself and keep the token off the client then you can use the proxy page to generate and add tokens to the requests as needed. To be more secure you should also restrict unauthenticated or unauthorized access to the proxy.

I've got a sample app for routing all secure requests through the server proxy at http://arcmap.azurewebsites.net/ and the code is on GitHub https://github.com/davetimmins/Joosh if you want to take a look.