AnsweredAssumed Answered

Manage authentication in a custom web app relying on Alfresco Repository

Question asked by mlagneaux on Aug 11, 2016
Latest reply on Sep 22, 2016 by ddraper

I'm working on a web application relying on Alfresco Repository (Community 5.1) as a back end. It can be seen as an alternative to Alfresco Share.

I have several questions about managing authentication in this web application.

For now, my login page makes a POST request to native webscript /alfresco/s/api/login. This webscript returns a ticket (which I store in sessionStorage for the moment); I use that ticket in each request to Alfresco by adding the following parameter at the end of my URL "&alf_ticket=[my ticket]".

This works but different things bother me:
- I have to get my ticket back in Javascript and concatenate the alf_ticket parameter to each HTTP request to Alfresco
- The ticket appears clearly in every URL I call: it does not seem really good at a security level

Are there any best practices to authenticate and query Alfresco from this kind of web app? Does anyone ever try to do this and how?
I saw that Share authentication uses various cookies including JSESSIONID cookie which is associated with the path /alfresco. Should I use this cookie rather than alf_ticket? If so, how to get it?

Thank you in advance for your help.