WebGrid is trying to authenticate (it shouldn't) and fails

4 replies. Last post: March 26, 2012 9:53 PM by Yudi
Tags :
  • New Discussion
  • New Question
  • New Product Feedback
Eric Member

We are using WebGrid 6.0.7200.220 on an ASP.NET 4.0 site with Integrated Windows authentication. The website is slow due to a slow network. We saw that every server request is made of three requests (first is an anonymous attempt with 401 result, second is another attempt without any data and with the Authorization header and again 401 result, third request is successful 200). These three requests are made for every image, every javascript, etc. that is not in the cache of the browser.

To avoid these multiple requests we redesigned the application. Now we'er using anonymous authentication. In global.asax/Session_Start we redirect to a Login.aspx page. Login.aspx is the only page set to Integrated Windows authentication. There we retrieve the user information and store this in the Session object. Then we redirect to the normal application. In the application we just read the user information from the Session object instead. This works great - except that this broke WebGrid somehow.

I de-obfuscated the WebGrid js code and started debugging. I found out that our code calls (from the client-side row select event handler) a js function that calls SendCustomRequest (with a delay of a half second due to another bug in WebGrid). I could debug this call into Intersoft's js file that it does this:

this.Send=function(...
var vf1026=this.XmlHttp
...
vf1026.open("POST",...
vf1026.setRequestHeader("Content-Type",...
vf1026.onreadystatechanged=...
vf1026.send(xxx);
(xxx is "WebGridRequest=...(encoded xml with request action=custom))

So everything looks good. But what I see from the network trace protocol is that actually the POST request is being made, but with these request headers:

...
Cookie: ASP.NET_SessionId=...
Authorization: Negotiate ...
Content-Length: 0

The server does not expect this and answers with a 100 Continue and then 200 OK with the full page again. The client didn't expect this answer and calls the client side error handler, which redirect to an error page.

So what went wrong here? I can see that the WebGrid sends an empty Content-Length with the POST request and it tries to authenticate (see Authorization header). That's the problem. No other request to the server ever does authenticate again. Remember that we are using anonymous authentication. For some reason WebGrid (or the component it is using) thinks it needs to authenticate and sends this Authorization header. Why is this happening and how can we avoid this problem?

When I set IIS back to Integrated Windows authentication, everything is working again, but this is what we wanted to avoid.

We are considering to upgrade to the newest version, but if these bugs continue, we will rather replace WebGrid. I don't want to "try" with another version. Please tell me if this is a known bug and already fixed, or if not, please investigate. Thanks.

All times are GMT -5. The time now is 3:46 PM.
Previous Next