Last post Feb 02, 2014 07:06 AM by SeeNoWeevil
Jan 29, 2014 12:09 PM|SeeNoWeevil|LINK
I have a single-page application with an ASP.NET Web Api decorated with the Authorize attribute, using forms authentication. The issue I'm seeing occurs when an ajax call is made at the client and the .ASPXAUTH cookie is not present (i.e has expired). For
some reason the browser (both Chrome and IE) is showing its built in username/password authentication dialog. It's doing this seemingly before the request actually completes, Chrome shows the request as 'Pending'. I don't want to see this dialog,
I want the request to go through and then handle the '401 Unauthorized 'returned by the Web Api controller. The ajax call is made by Breeze.js performing a save, see screenshot below;
Jan 30, 2014 05:38 AM|SeeNoWeevil|LINK
The issue was observed when accessing my app from its live domain. I've just noticed the problem doesn't occur when running locally from the IDE. The ajax call doesn't trigger the browser's authentication dialog and Web Api returns the expected 401. Odd.
The only solution I can think of so far is to not even attempt the ajax call if no asp auth cookie is present.
Feb 02, 2014 07:06 AM|SeeNoWeevil|LINK
Sussed it, kind of. Checking Fiddler I can see IIS 8.0 from my provider is returning WWW-Authenticate headers for ajax calls without thre asp cookie. IIS Express 8.0 locally doesn't. Does anyone know why this is?
The only solution I can think of is to extend the standard Web Api Authorize attribite and on auth failure, remove the WWW-Authenticate headers from the response. Difficult to test though as it doesn't occur locally. Doing the opposite and manually adding
the headers replicates the issue with IIS Express. I might try and upgrade to full IIS.