15

I've been using Postman in my app development for some time and never had any issues. I typically use it with Google Chrome while I debug my ASP.NET API code.

About a month or so ago, I started having problems where Postman doesn't seem to send the cookie my site issued.

Through Fiddler, I inspect the call I'm making to my API and see that Postman is NOT sending the cookie issued by my API app. It's sending other cookies but not the one it is supposed to send -- see below:

enter image description here

Under "Cookies", I do see the cookie I issue i.e. .AspNetCore.mysite_cookie -- see below:

enter image description here

Any idea why this might be happening?

P.S. I think this issue started after I made some changes to my code to name my cookie. My API app uses social authentication and I decided to name both cookies i.e. the one I receive from Facebook/Google/LinkedIn once the user is authenticated and the one I issue to authenticated users. I call the cookie I get from social sites social_auth_cookie and the one I issue is named mysite_cookie. I think this has something to do with this issue I'm having.

Sam
  • 26,817
  • 58
  • 206
  • 383
  • 1
    Are you testing this locally or on production deploy? – Tarun Lalwani Oct 02 '17 at 16:02
  • Both and in both cases, I'm getting the same results. – Sam Oct 02 '17 at 16:06
  • 1
    Is it deployed on http or https? and is the API call on http or https? – Tarun Lalwani Oct 02 '17 at 16:10
  • Locally, it's `http` but the API that's running on Azure is `https`. – Sam Oct 02 '17 at 16:16
  • 1
    I think your issue might be SSL termination and secure cookie. Try not setting the cookie as secure and see if it works – Tarun Lalwani Oct 02 '17 at 16:18
  • I'll give it a try but I really don't think it's the secure cookie. The same exact setup was working perfectly fine. The only change I made is what I describe in the PS section of original post. Once I get user data from social network, I destroy `social_auth_cookie` and create `mysite_cookie`. I keep thinking somehow this is what's causing the issue. Before I named my cookies, it was the standard ASP.NET cookie -- whatever ASP.NET named the cookie, Do you think naming the cookie could create this issue? – Sam Oct 02 '17 at 16:23
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/155773/discussion-between-tarun-lalwani-and-sam). – Tarun Lalwani Oct 02 '17 at 16:27

4 Answers4

3

The cookie in question cannot legally be sent over an HTTP connection because its secure attribute is set.

For some reason, mysite_cookie has its secure attribute set differently from social_auth_cookie, either because you are setting it in code...

var cookie = new HttpCookie("mysite_cookie", cookieValue);
cookie.Secure = true;

...or because the service is configured to automatically set it, e.g. with something like this in web.config:

<httpCookies httpOnlyCookies="true" requireSSL="true"/>

The flag could also potentially set by a network device (e.g. an SSL offloading appliance) in a production environment. But that's not very likely in your dev environment.

I suggest you try to same code base but over an https connection. If you are working on code that affects authentication mechanisms, you really really ought to set up your development environment with SSL anyway, or else you are going to miss a lot of bugs, and you won't be able to perform any meaningful pen testing or app scanning for potential threats.

John Wu
  • 50,556
  • 8
  • 44
  • 80
  • I didn't set the cookie to secure and there's no web.config in the root of my app. Also, Postman fails to send the cookie both in production and local dev environments. My production uses SSL but localhost doesn't. Do you still think this is caused by cookie being set to secure? – Sam Oct 11 '17 at 04:08
  • The cookie's flag is set to secure. It says so right there. If you didn't set it, you need to figure out who did. I would be careful about drawing inferences by comparing environments, since so many things could be different-- follow the evidence. – John Wu Oct 14 '17 at 18:53
1

You don't need to worry about cookies if you have them on your browser.

You can use your browser cookies by installing Postman Interceptor extension (left side of "In Sync" button).

Postman Interceptor

Alessandro Hoss
  • 395
  • 4
  • 8
  • I'm already using the Interceptor and it was working beautifully until this issue started. As I mentioned in the original post, the timing of this issue coincides with my naming my cookies. – Sam Oct 13 '17 at 19:33
0

I have been running into this issue recently with ASP.NET core 2.0. ASP.NET Core 1.1 however seems to be working just fine and the cookies are getting set in Postman

James
  • 1
  • 1
    Welcome to SO! This would be better posted as a comment on the original question, since you don't have a complete answer ("I've seen this in 2.0 but not in 1.1" doesn't tell us why it's happening, unless it's a well-known bug). Try posting comments until you have an answer you think is satisfying! – Jeremy McGibbon Sep 24 '17 at 19:18
0

From what you have describe it seems like Postman is not picking up the cookie you want, because it doesn't recognize the name of the cookie or it is still pointing to use the old cookie.

Things you can try:

  1. Undo all the name change and see if it works( just to get to the root of issue)

  2. Rename one cookie and see if it still works, then proceed with other.

I hope by debugging in this way it will take you to the root cause of the issue.

Vivek
  • 15
  • 6