I just joined a company and I’m trying to understand their application.

Backend

It’s a .NET application with multiple projects in the solutions. It’s developed for .NET 4.8.

I believe it’s developed using ASP.NET MVC.

More relevant projects in the solution are:

• APIs
• Database

They are using NHibernate to access the database (I have never used NHibernate therefore I can’t understand Session handling specially. Don’t know if this session is just with DB or also matters for web requests).

Frontend

For the frontend app, they use Angular JS.

Issue

As instructed, I deployed the apps in the local IIS but of course, this way I can’t debug the code.

I created a website in IIS, point it to the Angular App and created an application inside the website, and point it to the API (backend .NET app). And it’s working fine.

But, when I run both applications from the code, I get errors.

Errors

Initially, it was raising CORS errors, which I resolved by putting enable CORS in the WebApiConfig.cs of the backend application.

Currently, when I start the frontend application, it sends a Session request, and then authenticate request. Both these requests are sending 200 status code. But after that, any request to the API app, is returning back with 401 Unauthorized. The debug breakpoint is not even reaching the controller (which kind of make sense if it is considering unauthorized).

When I debugged further, there is a CookieAuthModule : IHttpModule class, which has OnAuthenticateRequest event registered, and checks for cookie. Which is coming null.

So, I assumed this is the main culprit, and may be if I send cookie information from frontend app it should be resolved.

Trying to get the cookie from the authentication response, I can see the Set-Cookie in the network call’s response header. But I can’t seem to find this property in response.data.headers object.

This is also the difference between headers from same calls going from application running in IIS and from code. The cookie header is missing in the request header in call from localhost (code) and present in call from app running in IIS server.

Questions

• What sort of authentication I should send to make it work?
• Why is it working on IIS and not when running from code?
• Is it more of an API side of issue (i.e. NHibernate session thing) or a frontend one (cookie authentication)?

Sorry, if it’s a lame question. I have worked mostly with .NET 6 and OAuth, but this either look different to me or is different.

Any help would be appreciated. Please let me know if you require more info.

Thanks in advance.