Ajax calls sporadically returning a 403 error in my ASP.NET MVC 4 project

Question

I've just noticed an issue that is occurring when I publish my ASP.NET MVC 4 project onto our UAT web server that I am not getting when testing locally. I have a form with dropdowns which are populated by AJAX calls to get values from stored procedures. The calls are seemingly randomly returning 403 forbidden errors and I can't determine why. The method being called works fine one moment, then 403 the next. Any tips would be much appreciated. Please see details below:

Ajax JQuery call:

    $.fn.GetOriginalValue = function() {
        var cobId = $("#startcob").val();
        var sourceSystemId = $("#SelectedSourceSystemID").val();
        var sourceSystem = $("#SelectedSourceSystemName").val();
        var metricName = $("#SelectedMetricName").val();

        var clientId;
        var dataToSend;

        if (isJuno) {
            clientId = $("#ClientID").val();
            var key2 = $("#key2").val();
            var key3 = $("#key3").val();
            var key4 = $("#key6").val();
            var key5 = $("#key9").val(); 
            var currency = $("#cmdCurrency").val();
            dataToSend = {
                key1: clientId,
                key2: key2,
                CobId: cobId,
                key3: key3,
                key4: key4,
                key5: key5,
                metricName: metricName,
                currency: currency,
                sourceSystem: sourceSystem
            };
        } 

        if (dataToSend != null) {
            $.ajax({
                cache: false,
                type: 'POST',
                url: '@Url.Action("GetCurrentValueJuno")',
                data: dataToSend,
                success: function(data) {
                    if (data.success && data.currentValue != null) {
                        $("#OriginalValue").val(data.currentValue);
                    } else {
                        $("#OriginalValue").val("");
                    }
                }
            });
        }
    };

Controller method:

    /// <summary>
    /// Lookup the current value of a metric
    /// </summary>
    /// <param name="key1"></param>
    /// <param name="key2"></param>
    /// <param name="cobId"></param>
    /// <param name="key3"></param>
    /// <param name="key4"></param>
    /// <param name="key5"></param>
    /// <param name="metricName"></param>
    /// <param name="currency"></param>
    /// <param name="sourceSystem"></param>
    /// <returns></returns>
    [AllowCrossSiteJson]
    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult GetCurrentValueJuno(
        int? key1,
        int? key2,
        DateTime? cobId,
    string key3,
        int? key4,
        int? key5,
        string metricName,
        string currency,
        string sourceSystem
        )
    {
        if (key1 != null && key2 != null && cobId != null)
        {
            //method calls stored procedure to obtain current value based on inputs provided
            var metrics = CFAQueries.GetCurrentValueJuno(
                key1,
                key2,
                cobId,
                key3,
                key4,
                key5,
                metricName,
                sourceSystem);

            var currentValue = metrics?.Value ?? 0;

            if (!string.IsNullOrEmpty(currency))
            {
                var fxrate = GetFxRate((DateTime)cobId, currency);
                currentValue = currentValue / (fxrate ?? 1);
            }

            return Json(
                new
                {
                    currentValue = currentValue,
                    success = metrics != null
                },
                JsonRequestBehavior.AllowGet);
        }

        return Json(
            new
            {
                success = false
            },
            JsonRequestBehavior.AllowGet);
    }

The screenshots show the Network tab with the method call, one failing and one succeeding, moments apart, with the exact same form inputs.

Following investigating I have tried adding the following to my web.config:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

And I've also tried the accepted answer in this: Setting Access-Control-Allow-Origin in ASP.Net MVC - simplest possible method

However neither have solved my issue. Any help or suggestions would be much appreciated. Thank you.

Check your hosted location you are making request with http , if it is https then it will block your request — Rahul Shukla, May 04 '21 at 10:28
Hi Rahul, it is HTTP and it works most of the time with the same call (please see screenshot 1). It's this seeming inconsistency that is confusing me. — Barrassment, May 04 '21 at 10:41
Hi Jayrag, controller name is CFAController, and it hits the controller method fine — Barrassment, May 04 '21 at 10:42

score 0 · Answer 1 · answered May 04 '21 at 10:44

0

you have multiple access-control-allow-origin

check this Question Access-control-allow-origin with multiple domains

answered May 04 '21 at 10:44

Jayrag Pareek

354
3
15

Thanks, I removed the [AllowCrossSiteJson] and republished but still getting the same mixed responses, mostly working, but occasionally not, however now with one line for access-control-allow-origin. – Barrassment May 04 '21 at 11:09
do you allow Access-Control-Allow-Origin in Global.asax.cs ?? – Jayrag Pareek May 04 '21 at 11:15
POST http://crrfwsuat.barcapint.com/CAMJUNO/CFA/GetCurrentValueJuno 403 (Forbidden) send @ jquery?v=Ahs0DmGdq6s…9HvfWfUlDTMZlXdY1:1 ajax @ jquery?v=Ahs0DmGdq6s…9HvfWfUlDTMZlXdY1:1 jQuery.ajax @ DXR.axd?r=1_225,1_16…2,1_173-4iXKf:10654 $.fn.GetOriginalValue @ VM1165:343 $.fn.SetDropdownRequired @ VM1165:261 eval @ VM1165:157 dispatch @ jquery?v=Ahs0DmGdq6s…9HvfWfUlDTMZlXdY1:1 s @ jquery?v=Ahs0DmGdq6s…9HvfWfUlDTMZlXdY1:1 ListPicker._handleMouseUp – Barrassment May 04 '21 at 11:24
No i allow it in the web.config only now. Like so: – Barrassment May 04 '21 at 11:25
set any Route in RouteConfig.cs? – Jayrag Pareek May 04 '21 at 11:43
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/231924/discussion-between-jayrag-pareek-and-barrassment). – Jayrag Pareek May 04 '21 at 11:49

score 0 · Answer 2 · answered Jan 26 '23 at 09:36

After being in trouble for two days on this problem...

My project was running well on my development machine and on my client's server, but only directly on that server. Errors appeared when running queries from "the internet"

The client had installed a WAF that was blocking requests and returning 403 errors. I couldn't find any logs on these errors in IIS, it should have tipped me off more quickly

I don't know if it's the same situation for Barrassment but I'm sharing my solution maybe it can help others...

Code that worked for three years... on multiple servers

$.ajax({
    type: "POST",
    url: "/People/Typeahead",
    data: "{'query':'" + query + "'}",
    contentType: "application/json; charset=utf-8",
    dataType: "json",
    success: function (data) {}
})

code that works now, WAF couldn't parse JSON with single quotes as separator... so my solution was just to use JSON.stringify:

$.ajax({
    type: "POST",
    url: "/People/Typeahead",
    data: JSON.stringify({
        query: query
    }),
    contentType: "application/json; charset=utf-8",
    dataType: "json",
    success: function (data) {}
})

Ajax calls sporadically returning a 403 error in my ASP.NET MVC 4 project

2 Answers2