MVC 5 Web API Login without Bearer Token


Long story short. I have a login form in the header on every single page, when I log in successfully it works fine but when the user is incorrect for example it redirects to the default login page (a view that was originally created with MVC project) with the model errors. I don't want to do that, I want to show errors next to the login form without redirecting. So I decided to implement a login via WEB API - i.e. it does $.ajax jQuery request to the Login API Controller, tries to log user in and returns errors if needed so I can output them where I want.

All examples I've seen say to use Bearer Access Token. I don't understand why would I need to go this path - save the token somewhere and pass it along with every single request in the headers? That's what I did in my Login API Controller:

var user = await UserManager.FindAsync(model.UserName, model.Password); if (user != null) { Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie); var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie); Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity); } else { error = "Invalid username or password."; }

This is the same functionality that is available out of the box when you create MVC5 project. I just moved it from regular controller to API controller. And it works without needing to take care of some bearer access tokens. What's the point of it if you could just do it like I did? I think it just makes requests more complicated when you use bearer token. Am I missing anything?


As I understand this, the bearer token would make more sense when you need to have a separately available backend authenticated with the same login as the front end we site in a pass through so the back end can "see" the request as coming from the same user.

You can verify that after logging in this way both the front end web site and backend api are sending the same session cookie, and if so you are golden. If on different domains, you may have problems with that, but otherwise not. If so, then a bearer token to pass that user to the backend may come back into play.


  • SAVE attribute needed for Fortran variables when only the C_LOC address is returned to a C program?
  • Reading a file into a multidimensional array
  • Object and struct member access and address offset calculation
  • Django simple Captcha “No module named fields” error
  • Hardware Accelerated Image Scaling in windows using C++
  • Magento Fatal error: Maximum execution error solution, on WAMP
  • How to attach a node.js readable stream to a Sendgrid email?
  • Sencha Touch 2.0 Controller refs attribute not working?
  • Django rest serializer Breaks when data exists
  • Reading JSON from a file using C++ REST SDK (Casablanca)
  • Recording logins for password protected directories
  • FB SDK and cURL: Unknown SSL protocol error in connection to graph.facebook.com:443
  • Is there any way to access browser form field suggestions from JavaScript?
  • C# - Serializing and deserializing static member
  • Bug in WPF DataGrid
  • How would I use PHP exceptions to define a redirect?
  • How to redirect a user to a different server and include HTTP basic authentication credentials?
  • Incrementing object id automatically JS constructor (static method and variable)
  • Fill an image in a square container while keeping aspect ratio
  • Deserializing XML into class C#
  • Javascript + PHP Encryption with pidCrypt
  • Symfony2: How to get request parameter
  • Hazelcast - OperationTimeoutException
  • Function pointer “assignment from incompatible pointer type” only when using vararg ellipsis
  • Rearranging Cells in UITableView Bug & Saving Changes
  • RestKit - RKRequestDelegate does not exist
  • Is there a mandatory requirement to switch app.yaml?
  • bootstrap to use multiple ng-app
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • Revoking OAuth Access Token Results in 404 Not Found
  • log4net write single file for each call to log.info
  • Getting error when using KSoap library to consume .NET web services
  • Qt: Run a script BEFORE make
  • python draw pie shapes with colour filled
  • Reading document lines to the user (python)
  • Binding checkboxes to object values in AngularJs
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?
  • How to load view controller without button in storyboard?