AzurePowerTools icon indicating copy to clipboard operation
AzurePowerTools copied to clipboard
verified publisher icon devbridge

Sever cannot set status after HTTP headers have been sent when doing CORS

Open jstralko opened this issue 9 years ago • 2 comments

Hello,

I'm getting this stacktrace when doing an CORS ajax call: [HttpException (0x80004005): Server cannot set status after HTTP headers have been sent.] System.Web.HttpResponse.set_StatusCode(Int32 value) +9837007 Devbridge.BasicAuthentication.BasicAuthenticationModule.IssueAuthenticationChallenge(Object source, EventArgs e) in Devbridge.BasicAuthentication\BasicAuthenticationModule.cs:149 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +141 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I'm unclear if this is an issue with devbridge or is there something i need to configure in my application. My application is a web project using System.Web.Http.ApiController. My CORS settings were working using the Visual Studio IIS Instance, but when I deployed it to our azure environment running IIS and using this module, I'm getting that error and the ajax is failing.

Here is the request/response from Chrome Dev Tools:

Request URL:http://[url_of_server]/mtm-ws/get Request Method:GET Status Code:200 OK Remote Address:xx.xx.xx.xx:80 Response Headers Access-Control-Allow-Origin:* Cache-Control:no-cache Content-Encoding:gzip Content-Type:application/json; charset=utf-8 Date:Wed, 16 Nov 2016 17:32:55 GMT Expires:-1 Pragma:no-cache Server:Microsoft-IIS/8.0 Set-Cookie:ARRAffinity=55b6ce1591a0b1ae4902697d2eef16fc9b82765ddc65dff75d745025a4d740fe;Path=/;Domain=[url_of_server] Transfer-Encoding:chunked Vary:Accept-Encoding X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET Request Headers Accept:/ Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Connection:keep-alive Host:cdilabs.azurewebsites.net Origin:http://localhost:3000 Referer:http://localhost:3000/mtm.html User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36

jstralko avatar Nov 16 '16 19:11 jstralko

Hi Gerb,

Unfortunately we have not used BasicAuthenticationModule with CORS. Please create a pull request if you find a solution.

One more note - it seems that you are trying to protect your API with BasicAuthenticationModule. This module was created to be used for public facing websites. You should consider another options (like JWT) to secure your API.

Marius

mariusrybelis avatar Nov 17 '16 09:11 mariusrybelis

Marius,

Thank you for the suggestion. I'm just using basic auth for demo purposes since i've used the BasicAuthenticationModule before. I'll see if I can use get CORS working and will create a pull request. Yes I will eventually using JWT to properly secure my API.

Gerb

jstralko avatar Nov 17 '16 15:11 jstralko