Currently I'm working on an implementation where my web application (asp.net stack) communicates with an internal C# asmx web service which acts as a proxy to retrieve the key from the token service, store it in session, and pass it back as a cookie/json to the requesting client. There is also logic in there to ensure they get back a token with integrity.
My problem is I am looking for a way to ensure that the cookie is safe. I have the cookie set to HttpOnly and Secure. The problem is of course I can't access the cookie via the javascript api. Also due to security requirements appending the token to the url is not an option. So I removed that and then just did the standard:
var token = {
"server": "<internal domain hosting arcgis server>/arcgis/rest",
"userId": "<username>",
"token": result.d.Token,
"ssl": false,
"expires": result.d.Expires
};
kernel.id.registerToken(token);
But when after I add the layers and initialize everything, the map is blank and when I try to forward or reverse geocode I get the error "Uncaught TypeError: Cannot read property 'wkid' of undefined"
Is there a better way of using the token to secure calls and layers made in javascript.