Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mysterious 401 challenge when using AJAX

I have a .NET Core web app hosted on the net.

I'm using claims based auth via cookies:

When login success...

var principal = new ClaimsPrincipal();
var id = new ClaimsIdentity(user);
id.AddClaim(new Claim("ViewData", "Allowed"));
id.AddClaim(new Claim("TenantId", user.TenantId));
principal.AddIdentity(id);
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);

This all works fine for every user apart from one - however, this one particular user (a 3rd party) is running into an auth popup in their browser (they've tried a few) when they interact with a particular page - every other page works fine.

This leads me to believe the issue is environmental, but I want to understand what could be happening here.

The only difference between the page in question and every other page is that this one does an AJAX post to a controller in order to save some data. The Home controller requires auth to view (or edit) the data.

[Authorize(Policy = "ViewData")]

The Ajax is your standard stuff

Razor:

$.ajax({
  type: 'POST',
  url: '@Url.Action("_Save", "Home")',
  dataType: 'json',
  contentType: 'application/json',
  data: ko.toJSON(viewModel.model()),
  success: function (result) {
  //... callback code etc

Checking the rendered JS shows that the AJAX call is relative to the current page and therefore isn't going to some strange URL

Raw JS:

$.ajax({
  type: 'POST',
  url: '/Home/_Save',
  dataType: 'json',
  contentType: 'application/json',
  data: ko.toJSON(viewModel.model()), // ... etc

I can see the cookie being included in the headers when I look in my browser:

accept: application/json, text/javascript, */*; q=0.01
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8
cache-control: no-cache
content-length: 4775
content-type: application/json
cookie: <cookie details here>

Unfortunately, it being a 3rd party I can't really connect to the machine to view the debug console for the browser.

The question I have really is a longshot - it sounds like it could be a proxy issue but I don't understand why making an AJAX call is any different to making the login POST request, unless of course my AJAX setup is missing some auth data that is required - maybe a header of some sort?

Has anyone seen something like this before?

like image 818
Charleh Avatar asked May 10 '19 11:05

Charleh


1 Answers

I have seen issues somewhat like this, and they have generally been related to security settings. You might try looking into CSRF headers. It could be several things. This could include a local antivirus, on-machine firewall, anti-spyware, or other privacy / protection application. Since it is a single user, debugging it will be extremely difficult, and I would recommend you figure out how that user's security settings / applications vary from their colleagues'.

Adding your site to the trusted sites list in specific browsers may resolve the single issue. It's almost certainly something hidden in there.

like image 125
Dylan Brams Avatar answered Nov 03 '22 12:11

Dylan Brams