Credentials on HttpClient is not validated after first successful REST call

Question

I'm creating an application where the user is logging in with a Username, Password and a Domain. I want to make as much as it is reusable across Windows platforms so I'm using the nuget package Microsoft HTTP Client libraries in a Portable Class Library.

Here is how i create the HttpClient with a HttpClientHandler and then calling the GetAsync.

    HttpClientHandler handler = new HttpClientHandler();
    ICredentials myCredentials = new NetworkCredential("Username", "Password", "Domain");
    handler.Credentials = myCredentials;

    HttpClient client = new HttpClient(handler);
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
    client.BaseAddress = new Uri("https://....");
    HttpResponseMessage response = await client.GetAsync("...");

This seems to work fine. The credentials are send in the request and only registered users are allowed to get the data.

In my application the users also have the option to sign out and then sign in again with possibly another username, password or domain. And here is where the problem is. If I have called the client.GetAsync with some valid credentials one time, the HttpClient seems to remember the old user credentials, although I'm creating a new instance of HttpClient each time and setting the correct credentials for the new user.

So my questions is, Is the HttpClient keeping a network channel open or is there some session problem that I'm not aware of?

--- Update #1 ---

If I make the URLs unique in GetAsync(...), e.g. I could pass some random parameter with the request, the server will validate the credentials and only Authorized users will get access to the resource. It is not really a good solution, so I did some more research.

I looks like the server is sending a response header called Persistent-Auth: true. This tells the client that the Authorization header is not required for the next request. I geuss thats why the credentials are not sent the next I try to call the GetAsync for the same resource. Surprisingly I also noticed in Fiddler that for the second request to this resource, no HTTP request is being sent at all from the client.

One interesting thing is that if I try the same approach in a browser, the Authorization has the same behavior, so its only included in the first request. For the second request to the same resource, I can see in Fiddler that a HTTP request is being sent as you would expect.

So to sum it all. I guess I'm stuck with 2 issues. First, is it possible to change this Persistent-Auth behavior so it is set to false in the server response. Second, why is my application not sending any request at all the second time I'm requesting the same resource.

On what platforms are you seeing this behavior? On Windows Phone, for example, the OS will often cache results and return them to you when you request the same URL. — Daniel Plaisted, Oct 15 '13 at 21:42
@RameezAhmedSayad: I have tried calling Dispose() on both client and handler after the request, but it doesn't seem to change anything. — Nicolaj Hedeager Larsen, Oct 18 '13 at 07:43
@DanielPlaisted: It is on Windows Phone. Do you know if I can try disable that behaviour? — Nicolaj Hedeager Larsen, Oct 18 '13 at 07:45
@NicolajHedeagerLarsen: Since it's a cache issue , maybe you can try adding the headers to the response , not sure on this http://stackoverflow.com/questions/49547/making-sure-a-web-page-is-not-cached-across-all-browsers — Rameez Ahmed Sayad, Oct 20 '13 at 19:58
@RameezAhmedSayad: I have tried adding some different headers like Cache-Control: no-cache and ConnectionClose but none of it seems to work. I think the problem is related the issue 6 here: http://blogs.msdn.com/b/bclteam/p/httpclient.aspx I will try the suggested resolution and update this post if it solves my problem. — Nicolaj Hedeager Larsen, Oct 21 '13 at 07:56
Bit late but there appears to be a solution to this issue now for WP: https://stackoverflow.com/questions/30731424/how-to-stop-credential-caching-on-windows-web-http-httpclient — jbob77435, Jul 17 '19 at 09:42

score 1 · Accepted Answer · answered Aug 10 '19 at 22:35

According to the answer of this question: How to stop credential caching on Windows.Web.Http.HttpClient?

It should work for Windows build 10586 onwards. To manual clear all cached credentials, we can also call the method HttpBaseProtocolFilter.ClearAuthenticationCache() which clears all cached credential information. Documentation for this method can be found here: https://docs.microsoft.com/en-us/uwp/api/Windows.Web.Http.Filters.HttpBaseProtocolFilter

Credentials on HttpClient is not validated after first successful REST call

1 Answers1