Runtime: HttpClient does not follow 302 redirects

Created on 11 Oct 2017  路  12Comments  路  Source: dotnet/runtime

Run the following console application in .NET Core 2.0 and in .NET Full Framework.

```c#
class Program
{
static void Main(string[] args)
{
MainAsync().Wait();
}

static async Task MainAsync()
{
    var httpClient = new HttpClient();
    var response = await httpClient.GetAsync(
        "https://icons.better-idea.org/icon?url=kayak.com&size=16..24..32");
    Console.WriteLine(response.StatusCode);
    Console.ReadLine();
}

}

- In .NET Full Framework, this writes `OK` (200).
- In .NET Core 2.0 this writes `Redirect` (302).

I cannot get .NET Core 2.0 to follow the 302 redirect even if I explicitly do:

```c#
var httpClient = new HttpClient(new HttpClientHandler
{
    AllowAutoRedirect = true,
    MaxAutomaticRedirections = 20
});

I always get Redirect (302).

area-System.Net.Http
Source
picture kspearrin
👍4

Most helpful comment

@davidsh should we resolve one of the issues as dupe?
Do we have tracking issue for error message improvement? It would save everyone quite some time ...

picture karelz on 11 Oct 2017
👍2

All 12 comments

This is doing a redirect from HTTPS to HTTP which is not allowed in .NET Core.

davidsh picture davidsh on 11 Oct 2017
👍2

cc: @karelz @stephentoub

davidsh picture davidsh on 11 Oct 2017

@davidsh Is there a way to override this behavior?

kspearrin picture kspearrin on 11 Oct 2017
👍1

@davidsh Is there a way to override this behavior?

No. You cannot override having automatic redirection dis-allowing HTTPS -> HTTP.

However, you can set automatic redirection to false.

c# var httpClient = new HttpClient(new HttpClientHandler { AllowAutoRedirect = false, });

Then you can parse the 302 responses yourself (i.e. grab the "Location: " response header. Then submit a new request to the new url.

davidsh picture davidsh on 11 Oct 2017

Similar root cause as dotnet/runtime#23697

davidsh picture davidsh on 11 Oct 2017

@davidsh should we resolve one of the issues as dupe?
Do we have tracking issue for error message improvement? It would save everyone quite some time ...

karelz picture karelz on 11 Oct 2017
👍2

I am ok with closing this now as needed. I just did not expect the difference in behavior between the two frameworks.

kspearrin picture kspearrin on 11 Oct 2017

@kspearrin this is corner case difference. Moreover, the .NET Core behavior is more secure.
Having good explanation (in the exception) when it happens would be really nice to have though.

karelz picture karelz on 11 Oct 2017

Do we have tracking issue for error message improvement? It would save everyone quite some time ...

Actually, I think we should consider a behavior change. Since we are already different from .NET Framework (which allows HTTPS -> HTTP), we should probably just throw an exception (HttpRequestion exception) with a good error message. This is probably better than our current behavior where we simply ignore the redirect.

cc: @stephentoub @karelz

davidsh picture davidsh on 11 Oct 2017

Sounds reasonable to me. cc @geoffkizer @Priya91 @wfurt

karelz picture karelz on 11 Oct 2017

I opened up a new issue dotnet/corefx#24577 to track work to make this change .NET Core.

davidsh picture davidsh on 11 Oct 2017
1

Closing this issue now since the behavior is understood and dotnet/corefx#24577 will track changing this to an exception.

davidsh picture davidsh on 11 Oct 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jchannon picture jchannon  路  3Comments
iCodeWebApps picture iCodeWebApps  路  3Comments
aggieben picture aggieben  路  3Comments
jzabroski picture jzabroski  路  3Comments
nalywa picture nalywa  路  3Comments