1

I have an ASP.NET Core web app with an API that requires users to be authenticated. About a month ago, I realized I could no longer use Postman API tool because even though I'm authenticated, my API calls would get a response as if I'm not authenticated.

When I look at available cookies under cookies tab, I see four of them. I recognize one of them but not the other 3.

The cookies I'm seeing in the "Cookies" tab in Postman while making API calls are:

  1. ARRAffinity
  2. .AspNetCore.my_cookie
  3. _ga
  4. _gid

All four cookies are showing my domain. The only difference I've noticed is that the second cookie show mydomain.com while others show .mydomain.com. I recognize the second one because I name my cookie i.e. my_cookie. That one is also the largest one which also makes sense because I store some information in the cookie. I assume, .AspNetCore prefix is added by my app because it's an ASP.NET Core web app with API.

What are the other three cookies? Do I need them?

The other important thing I've noticed is that when I use Fiddler to inspect my API call, under "Cookies" tab in Fiddler, I only see the tree cookies that I couldn't identify being sent with the API call. I do NOT see the one that I recognize which is issued by my site.

Looks like my issues with Postman have something to do with these three unidentified cookies being sent with the API call but not the one that I issue i.e. .AspNetCore.my_cookie is NOT being sent with my API call.

Sam
  • 26,817
  • 58
  • 206
  • 383

1 Answers1

1

_ga and _gid are used to collect Google Analytics data.

Name - Expiration Time - Description

_gid - 24 hours - Used to distinguish users.

_gat - 1 minute - Used to throttle request rate.

if you want to know more about Google Analytics cookies, please read this

In the other hand, for ARRAffinity. Windows Azure Web Sites, by default, use an ARRAffinity cookie to insure subsequent requests from a user are routed back to the web site instance that the user initially connected to. In other words, Windows Azure Web Sites assumes your web site is not stateless. If you were to scale your web site deployment to multiple instances, the ARR Server processes this ARR Affinity cookie and sends you back to the instance that processed your initial request (the request that originated the cookie).

If you’re not already familiar with this, check out this blog for an in-depth discussion on ARR Affinity for Web Sites and how to disable ARR Affinity if your web site is stateless.

Daniel Botero Correa
  • 556
  • 6
  • 16
  • Thank you for the detailed explanation. Any idea why the cookie my site issues is not sent with the API call? Looks like all the other cookies are sent with the API call. – Sam Sep 21 '17 at 09:45
  • Interestingly, I have no problems in all calls made through the browser. All my front end calls are answered fine. Postman somehow doesn't send the cookie my app needs to respond to API calls. – Sam Sep 21 '17 at 09:47
  • I don't know what could happen but I found an interesting link about postman and cookies. https://www.getpostman.com/docs/postman/sending_api_requests/cookies and maybe check this post in stackoverflow https://stackoverflow.com/questions/30890403/sending-cookies-with-postman – Daniel Botero Correa Sep 21 '17 at 14:48