0

I'm in charge of a Microsoft .Net WebApi that authenticates requests based on credentials sent in the request headers. If the credentials are missing or incorrect, the API returns a 401 unauthorized message. The code to do this is pretty straight forward.

   if (!ValidateCredentials(Request, this.ServiceName))
   {
      throw new HttpResponseException(HttpStatusCode.Unauthorized);
   }

This works as expected when calling the API from code in other applications (JS, C#, etc).

I recently had a 3rd party developer contact me to make calls to our API who is not primarily a Windows/.Net developer. He wanted to start by calling an API method (which is an HTTP GET method) in a browser, to make sure he got the expected 401 error. He didn't get a 401 - he got no response at all.

I did some testing and found the following:

  • In Postman (without the appropriate headers), I get a 401 response and it indicates a secure connection.
  • In Chrome, I get a 401 but I also got a "your connection to the site is not secure" message even though I'm using HTTPS.
  • In Internet Explorer, I get a blank screen and a 401 in the developer tools, and it indicates a secure connection.
  • In Firefox, I get no response. Instead the developer tools shows the request as "Blocked" (listed in the "Transferred" column).
  • In Edge, the browser seems to stall out. I don't get any response, nothing even shows up as an outbound request in developer tools, and the refresh button stays perpetually as a cancel button.

Is there something wrong with how the API is responding to these requests or are they simply quirks of the respective browsers?

Aaron S
  • 25
  • 6
  • Which version of Edge are you using? I suggest that you use [Fiddler](https://www.telerik.com/fiddler) to track the API calls in the browsers. You can compair the network traffic between Edge and other browsers to see if there's any difference, this maybe will give us some hints about the issue. It's hard to figure out with only the above description. – Yu Zhou Jan 29 '21 at 03:11
  • I'm using Edge 44.19041.423.0 on my workstation. I can't test with Fiddler on my workstation because I can't add the security certificate needed to log HTTPS. I was able to get a virtual windows server 2019 off our domain to test with but I was only able to test Chrome and Firefox. Fiddler shows the 401 response, but I can't tell if the SSL cert is valid in Fiddler. From what I'm able to test, I'm assuming that the API isn't at fault. – Aaron S Feb 03 '21 at 19:03
  • It's hard to tell what's going wrong as nothing shows in Edge and you can't test with Fiddler. But it should be Edge Legacy's issue as I met some kind of issues like this before: [thread 1](https://stackoverflow.com/questions/58157960/post-method-not-working-in-edge-browser-but-it-is-working-in-other-browser-like/58182966#58182966), [thread 2](https://stackoverflow.com/questions/60995309/angular-9-application-is-stuck-on-microsoft-edge). I suggest to use the latest Edge Chromium instead of Edge Legacy. – Yu Zhou Feb 05 '21 at 08:23

0 Answers0