I am building a RESTful service using ASP.NET Web API with custom token based authentication. The client will send credentials on the first call. The service will create an encrypted token using the user details and this token will be used for authentication from this point onwards. Now the service needs to send this token back to the client. Initially I kept the token in a HTTP custom response header so that the client can read the value independent of the data returned by the service. This worked well when client and service are in the same domain, but failed in Cross domain scenario. I have CORS enabled my Service and added all kinds of headers like "Access-Control-Expose-Headers", "Access-Control-Allow-Origin: *" etc. But the cross domain client is not able to read the custom response header I created which is "SecureToken:". I saw in couple of posts that web browsers have some issues with reading custom response headers in cross domain scenarios. So now I am thinking of sending the secure token through a common base class of all the ViewModel/data objects sent from the service.
From this context I have couple of questions:
What is the best place to send custom secure tokens. Is it in response header or as a common property in the base class of the ViewModel/data classes?
is there a standard HTTP response header that I can use to send token and custom information so that even cross domain clients can also read it?
Any help will be greatly appreciated! Thanks!
