c# - .net CORS - Losing Allow Origin header when the response is 401 - not authorized -



c# - .net CORS - Losing Allow Origin header when the response is 401 - not authorized -

i'm trying determine why/how i'm losing 'access-control-allow-origin' header when response 401-unauthorized.

i'm using token-based authentication token has expiration date. when token expires, server returns 401-unauthorized, should, in chrome (and ie , ff) never sees allow origin header , errors usual cors error: xmlhttprequest cannot load http://my.rest.service. no 'access-control-allow-origin' header nowadays on requested resource. origin 'http://localhost' hence not allowed access.

i'm not sure of relevant though, auth logic works fine, cors chokes when response 401.

c# cors handler namespace nviewrest.handlers { using system.linq; using system.net; using system.net.http; using system.threading; using system.threading.tasks; /// <summary> /// handler processing cross origin resource sharing (cors) requests /// </summary> public class corshandler : delegatinghandler { /// <summary>the origin.</summary> private const string origin = "origin"; /// <summary>header indicating should treat cors request.</summary> private const string enablecors = "x-enablecors"; /// <summary>the access command request method.</summary> private const string accesscontrolrequestmethod = "access-control-request-method"; /// <summary>the access command request headers.</summary> private const string accesscontrolrequestheaders = "access-control-request-headers"; /// <summary>the access command allow origin.</summary> private const string accesscontrolalloworigin = "access-control-allow-origin"; /// <summary>the access command allow methods.</summary> private const string accesscontrolallowmethods = "access-control-allow-methods"; /// <summary>the access command allow headers.</summary> private const string accesscontrolallowheaders = "access-control-allow-headers"; /// <summary> /// send async request /// </summary> /// <param name="request">the request.</param> /// <param name="cancellationtoken">the cancellation token.</param> /// <returns>the <see cref="task"/>.</returns> protected override task<httpresponsemessage> sendasync(httprequestmessage request, cancellationtoken cancellationtoken) { // if has our nfib enable cors header or has access command request method header, we're assuming cors request var iscorsrequest = request.headers.contains(accesscontrolrequestmethod) || request.headers.contains(enablecors); // preflight == options request - sent prior cors requests var ispreflightrequest = request.method == httpmethod.options; // express exit if normal request if (!iscorsrequest) { homecoming base.sendasync(request, cancellationtoken); } // actual cors request - add together appropriate header before executing normal if (!ispreflightrequest) { homecoming base.sendasync(request, cancellationtoken).continuewith( t => { var resp = t.result; resp.headers.add(accesscontrolalloworigin, request.headers.getvalues(origin).first()); homecoming resp; }, cancellationtoken); } // @ point preflight request - add together headers indicate allowed origins var response = new httpresponsemessage(httpstatuscode.ok); response.headers.add(accesscontrolalloworigin, request.headers.getvalues(origin).first()); // add together header indicate allowed methods var accesscontrolrequestmethod = request.headers.getvalues(accesscontrolrequestmethod).firstordefault(); if (accesscontrolrequestmethod != null) { response.headers.add(accesscontrolallowmethods, accesscontrolrequestmethod); } // add together headers indicate allowed headers var requestedheaders = string.join(", ", request.headers.getvalues(accesscontrolrequestheaders)); if (!string.isnullorempty(requestedheaders)) { response.headers.add(accesscontrolallowheaders, requestedheaders); } // send result of options request var tcs = new taskcompletionsource<httpresponsemessage>(); tcs.setresult(response); homecoming tcs.task; } } }

i can step through lines add together header, when response 401, know on .net end adding it.

javascript ajax call function executeajax (method, url, data, token) { url = (url.indexof('/') === 0) ? url : "/" + url; var options = { method: method, url: app.settings.apiurlroot + url, data: info }; token = token || localstorage.getitem("sessionkey"); options.headers = { "accept": "application/json", //header enabling cors "x-enablecors": 'true' } if (token !== undefined && token !== null) { options.headers["x-adauth"] = token, } homecoming $.ajax(options); };

the result of phone call cors error referenced earlier.

there no issues firewall or middleware stripping these out know of since other non-401 ajax request executes fine.

any thoughts why header disappearing?

i had same issue , solved explicitly adding cors header 401 response before returned.

var response = new httpresponsemessage(httpstatuscode.unauthorized); response.headers.wwwauthenticate.add(new authenticationheadervalue("bearer", "errormessage")); response.headers.add(accesscontrolalloworigin, "*"); homecoming response;

c# ajax cors

Comments

Post a Comment

Popular posts from this blog

php - Android app custom user registration and login with cookie using facebook sdk -

php - Android app custom user registration and login with cookie using facebook sdk - i developing android application in users need register , log in using facebook. approximately, flow. open app first time, authenticate facebook, data, send info server create them business relationship in application, start session new business relationship in server, cookie perform later interactions. so far good. what need know wich info have send server, can able identify users when log in seccond time. because need start session in server , send cookie android app farther interactions. i'm using php server side language. i thinking getting getaccesstoken() in android facebook sdk, pass server on business relationship creation , storing in android app. but can't manage how login users on sec time utilize app. any suggestions ? in advance ! to uniquely identify user within app, should create request /me , user's id. guaranteed unique , remain con
Read more

django - Access session in user model .save() -

django - Access session in user model .save() - is possible access current session in user model .save()? pseudo code of want achieve: # users.models.py def save(self, *args, **kwargs): created = true if self.pk: created = false super(abstractuser, self).save(*args, **kwargs) # post-save if created: look_for_invite_in_session_and_register_if_found(self, session) seems wrong in architecture. shouldn't access request in models layer. work request must done in view. can this: user, created = abstractuser.objects.get_or_create(name=name) if created: look_for_invite_in_session_and_register_if_found(user, request.session) django session
Read more

php - .htaccess Multiple Rewrite Rules / Prioritizing -

php - .htaccess Multiple Rewrite Rules / Prioritizing - here current htaccess file: rewriteengine on rewritecond %{http_host} !^www\.website\.com [nc] rewritecond %{http_host} ([^.]+)\.website\.com [nc] rewriterule ^(.*)$ http://www.website.com/gotourl.php?urlid=?%1 [l] rewriterule ^(\w+)$ ./gotourl.php?urlid=$1 [nc,l] rewriterule ^(\w+)/$ ./gotourl.php?urlid=$1 [nc,l] the website in question url shortener i'm working on testing/developing , personal use. above code may not ideal i'm not familiar .htaccess , made via googling , testing. want url shortening aspect: http://website.com/1234 -> http://website.com/gotourl.php?urlid=1234 http://website.com/1234/ -> http://website.com/gotourl.php?urlid=1234 the problem cannot figure out how ignore directories. want specific directories go specific pages: http://website.com/img (or) http://website.com/img/ -> http://website.com/img.php http://website.com/img/1234 (or) http://website.com/
Read more