I posted this on Stack Overflow as a Q&A post; however, I don’t think it’ll be around for much longer… So I’m posting it here.
The web API controllers are decorated with
[Authorize]; requiring the user to login via the web application before the Ajax calls can access the web API methods.
I wanted to use Postman (Windows native application) to test the web API calls while running the web application on localhost. I couldn’t find any articles or how-to posts that pointed out what needs to happen to get this working. So I documented the following steps:
How to copy the authentication cookie into Postman from the browser after logging in?
Run and log into your web application and open the Browser’s Developer Tools.
From Developer Tools, locate the list of cookies for localhost. Using Chrome (version 73) as an example, select the Application tab and expand the Storage > Cookies option.
From the Cookies option, click on your localhost web application e.g. localhost:port. This will display the list of cookies.
Having logged into your web application, a cookie named
.AspNetCore.Cookiesshould be present. Copy the value i.e. it should be a long string of characters such as
From Postman, create a request to access your chosen web API method and locate the Cookies option for the request.
From within Manage Cookies, add a new cookie. Example from Postman (v7.0.6) below
The placeholder value should be updated from:
.AspNetCore.Cookies=CfDJ8FNwIhImGGFJmGnb… shortened for brevity …; path=/; domain=localhost;
Click send. The response should be the data or error returned from the web API method call and not the HTML of your login page. If it’s the login page HTML, then the cookie or cookie value is most likely incorrect.
I know this is not how web API authentication should be implemented; however, this post is about setting up Postman to work in the particular scenario. This is the second time I’ve come across this situation and have decided to document it.