How to test ASP.NET Core Web API with cookie authentication using Postman?

Hi All.

I posted this on Stack Overflow as a Q&A post; however, I don’t think it’ll be around for much longer… So I’m posting it here.

I’m working on a ASP.NET Core MVC Web Application (.NET Core 2.1) that implements Cookie Authentication. The web application also includes a web API where client-side JavaScript makes Ajax calls back to the web server. The web API is not intended to be consumed by external systems, not at the moment; however, it be a different story if it did i.e. an appropriate authentication method for a stateless service.

The web API controllers are decorated with [Authorize]; requiring the user to login via the web application before the Ajax calls can access the web API methods.

I wanted to use Postman (Windows native application) to test the web API calls while running the web application on localhost. I couldn’t find any articles or how-to posts that pointed out what needs to happen to get this working. So I documented the following steps:

How to copy the authentication cookie into Postman from the browser after logging in?

  1. Run and log into your web application and open the Browser’s Developer Tools.

  2. From Developer Tools, locate the list of cookies for localhost. Using Chrome (version 73) as an example, select the Application tab and expand the Storage > Cookies option.

  3. From the Cookies option, click on your localhost web application e.g. localhost:port. This will display the list of cookies.

  4. Having logged into your web application, a cookie named .AspNetCore.Cookies should be present. Copy the value i.e. it should be a long string of characters such as CfDJ8FNwIhImGGFJmGnb...

  5. From Postman, create a request to access your chosen web API method and locate the Cookies option for the request.

  6. From within Manage Cookies, add a new cookie. Example from Postman (v7.0.6) below

  7. The placeholder value should be updated from:

    Cookie_1=value; path=/;domain=localhost;

    to

    .AspNetCore.Cookies=CfDJ8FNwIhImGGFJmGnb… shortened for brevity …; path=/; domain=localhost;

  8. Click send. The response should be the data or error returned from the web API method call and not the HTML of your login page. If it’s the login page HTML, then the cookie or cookie value is most likely incorrect.

I know this is not how web API authentication should be implemented; however, this post is about setting up Postman to work in the particular scenario. This is the second time I’ve come across this situation and have decided to document it.

1 Like