ASP.Net self-host web api. Auth ajax request, cookies doesn't set

Question

I am trying to write authorization using Sencha ExtJs on client and Asp.net self-host web api on server-side. Here is my Controller:

 [HttpGet]
    [HttpPost]
    [Route("Login")]
    public async Task<IHttpActionResult> Login(string ReturnUrl = "")
    {
        var EncodedAuth = Request.Headers.Authorization.Parameter;
        var basicData = Encoding.ASCII.GetString(System.Convert.FromBase64String(EncodedAuth)).Split(':');
        var login = basicData[0];
        var password = basicData[1];
        var passwordHash = new PasswordHasher().HashPassword(password);
        // AppUser userDto = new AppUser {Name = model.Name, PasswordHash = model.Password}; 
        AppUser userDto = new AppUser {Name = login, PasswordHash = password};
        ClaimsIdentity claim = await AuthService.Authenticate(userDto);
        if (claim == null)
        {
            ModelState.AddModelError("", "Неверный логин или пароль.");
            return BadRequest("Неверный логин или пароль");
        }
        else
        {
            AuthenticationManager.SignOut();
            AuthenticationManager.SignIn(new AuthenticationProperties
            {
                IsPersistent = true
            }, claim);
        }

        return Ok();
    }

Startup.cs:

  public void Configuration(IAppBuilder app)
    {
        var config = new HttpSelfHostConfiguration("http://localhost:9000");

        HttpListener listener = (HttpListener)app.Properties["System.Net.HttpListener"];
        string authMode = ConfigurationManager.AppSettings["AuthMode"];
        if (authMode == "windows")
            listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;

        app.CreatePerOwinContext(CreateAuthService);

        config.MapHttpAttributeRoutes();
        config.MessageHandlers.Add(new CustomHeaderHandler());
        config.EnsureInitialized();
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/api/Account/Login")
        });
        app.UseCors(CorsOptions.AllowAll);
        app.UseNinjectMiddleware(NinjectConfig.CreateKernel);
        app.UseNinjectWebApi(config);

    }

    private IAuthService CreateAuthService()
    {
        var serviceCreator = new ServiceCreator();
        return serviceCreator.CreateUserService("KCentralBaseConnection");
    }

}
public class CustomHeaderHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)
    {
        return base.SendAsync(request, cancellationToken)
            .ContinueWith(task =>
            {
                HttpResponseMessage response = task.Result;
                response.Headers.Add("Access-Control-Allow-Origin", "http://127.0.0.1:1841");
                response.Headers.Add("Access-Control-Allow-Headers", "*");
                response.Headers.Add("Access-Control-Allow-Credentials", "true");
                response.Headers.Add("Access-Control-Expose-Headers", "Set-Cookie");
                return response;
            }, cancellationToken);
    }
}

and ajax request from client:

onLoginButton: function(button) {
    var me = this;
    var form = button.up('form');

    var values = form.getValues();
    var creditinals = values.login+':'+values.password;
    var encoded = Base64.encode(creditinals);
    Ext.Ajax.request({
        url: WebApiServerUrl + 'api/Account/Login',

        useDefaultXhrHeader: false,
        cors: true,

        headers: {
            'Authorization': 'Basic '+encoded
        },
        params: {
            ReturnUrl: window.location.href
        },
        success: function (response){
            window.location.replace(window.location.href);
            me.view.destroy();
        }
    })
}

Login method performes succesfully and returns to client next response:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:*
Access-Control-Allow-Origin:http://127.0.0.1:1841
Access-Control-Expose-Headers:Set-Cookie
Cache-Control:no-cache
Content-Length:0
Date:Fri, 15 Apr 2016 11:27:52 GMT
Expires:-1
Pragma:no-cache
Server:Microsoft-HTTPAPI/2.0
Set-Cookie:.AspNet.ApplicationCookie=AQAAANCMnd8BFdERjHoAwE_Cl-sBAAAAVeoujy5JdkaH_QpkOzXnDgAAAAACAAAAAAAQZgAAAAEAACAAAACLPGlOfvi79s2kU5ufyi9f3e2NZmBSfKePhsb-Yrb--QAAAAAOgAAAAAIAACAAAADjnYtqzg1eo2OecgqcCR6FE6wStdA9G_KlLPpcUyOpwmABAAB9hv7RbAug93wiDtl6qarpgBavISxBqBjiBdQ1eRzAvucGgO19605M7rqiPQAPxV3ZidcRxsYnhKKKdYNFPPexahMARNIJHwK8Q0lwH8XwTW66URJFl631lx-C0flLQep_MpKvRlJcyZ15zF2UEkHk0A6QtrY2Ae_nDkMATxJb2J9QIo_2j5HXfuxfugIOvWtJcnfMXO1uksOrsXCiBqSSIff_V2MLSnMLfKh2yRsEeDgezgYP77oGyXdjNGdgtte7mzNGRlitkcY9ArCtcubY8Im3x_X7j_PjHObPzn9X41MdhhpBwD3POssrAYtv-LDbaIITGjY_7aSWsAYNaZF-ztqpqkvRlY3drs5J060UbMtywQK1FWjvO_kI7sdVsbhKtyHghAgGU6svwb1uNIXVOCY-gSMoBCtgpDsCv2CIhNTTNeqM3cE5GXibUkJxMa8uWLS_QKy_T65H7wwn97IgQAAAANlyJIlNsiytkzJoz01lZbk1FyZVXtkor21cA4H05bPjuc7Aj9qYE8xDm2PnmQ3z5zwvHr5uxTRB7kklUsD_oaI; path=/; expires=Fri, 29-Apr-2016 11:27:53 GMT; HttpOnly
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Authorization:Basic QWRtaW46cGFzc3dvcmQ=
Connection:keep-alive
Content-Length:61
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Host:localhost:9000
Origin:http://127.0.0.1:1841
Referer:http://127.0.0.1:1841/Admin/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

But browser doesn't save cookie (I tried in Chrome and IE), although in postman I send same request, and cookies is ok.

Answer 1

I solved this problem. I had to set WithCredentials: true in Ajax.request in a recieving request AND in sending request.