My Web application is a Single Page Application and its server front-end is a mix of ASP.NET MVC and WebAPI routes. All View routes (actually the only one) allows anonymous access. But all ApiController’s are guarded by AuthorizeAttribute. There’s a special ApiController – SecurtyApiController with the following routes: Login and GetCurrentUser methods (all these routers are mapped onto corresponding methods) allow anonymous access.
Most web applications today use browser cookies to keep a user logged in while she is using the application. Cookies are a decades-old device and they do not stand up well to security threats that have emerged on the modern web. In particular, cookies are vulnerable to cross-site request forgery. Web applications can by made more secure by using OAuth for session authentication.
Single page web applications – or SPAs, as they are commonly referred to – are quickly becoming the de facto standard (via Important Considerations When Building Single Page Web Apps | Nettuts)