Click here to Skip to main content
15,907,001 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
So I have an APIservice made that does a lot of stuff with data.
One thing it does is get 'Candidates' by their Login data.

Code like this does the job

[HttpGet]
        [Route("{name}/{password}/ByNameAndPassword")]
        public async Task<HttpResponseMessage> GetCandidateByNameAndPasswordAsync(string name, string password)
        {
            var candidate = await candidatesManager.GetCandidateByNameAndPasswordAsync(name, password);

            if (candidate.CandidateId != 0) { return Request.CreateResponse(System.Net.HttpStatusCode.OK, candidate); }
            else { return Request.CreateErrorResponse(HttpStatusCode.NotFound, "Candidate with the requested credentials not found."); }
        }


However, this works in many cases. But in some cases with characters this code isn't even reached by the sender/client.

The problem only happens by a Get.
Inserting data is not a problem.

Example: when I use a Name or Password containing the following list of characters it doesn't work.

#
%
&
*
:
"
'
<
>
?
/
.

My question will be obvious: why doesn't it work if one or more of these characters are involved in case of a GET?

What I have tried:

I have tried anything I could com up with but I really have no ideas anymore.
Posted
Updated 11-Dec-19 14:52pm

1 solution

Well... the problem is quite evident; many of these are various control or otherwise special characters.

The %, &, #, and / should be visible to anyone who has looked at a URL as separators, fragment identifiers, routing, and escape characters.
I personally would not use GET with a password, as it is just going to be a part of the URL and is subject to browser caching and logging within the server logs.
The solution can be quite evasive to find; especially if you intend on keeping this as a GET method.
In Net Framework, you could work with various elements in the web.config file to relax the various character restrictions, I do not know how to do in a Net.Core/Kestrel environment at this time.
Hopefully the following config references can guide you
Look here:
XML
<system.web>
     <httpRuntime
And here:
XML
<system.webServer>
     <security>
          <requestFiltering allowDoubleEscaping="true">
 
Share this answer
 
Comments
Wiep Corbier 12-Dec-19 7:52am    
Thanks very much. You made me see the light, and the solution. Instead of a GET I will use a POST (without the actual posting of course)

I POST an object containing the Name and Password.
On the server side I do a query if the Candidate exists and return a response.
MadMyche 12-Dec-19 7:57am    
You're welcome

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900