Is it possible to determine the current user's authentication status via a public WebMethod? Here's what I've got so far:
[WebMethod]
public bool IsAuthenticated()
{
return Context.User.Identity.IsAuthenticated;
}
Because there's nothing passed in to this method and the Context.User is "Anonymous" and is technically unauthenticated at this point, the response is always false, even for authenticated users.
My next thought was to pass in the user's UserProviderKey (GUID) and use that to generate a generic principal to validate. I'm not sure if that's possible or if the GUID itself provides enough security to prevent people from retrieving the authentication status of other users.
You would need to pass the authentication cookie with the web request. This is the way .NET knows if a user is authenticated or not (assuming you are using standard authentication).
The authentication cookie is nothing to do with session cookie, which is highly insecure.