Edge PDF Viewer Second Request with new ASP.Net Session

Issue #16358526 • Unassigned


Mar 13, 2018
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

As has been documented several times, the PDF viewer in Edge incorrectly invokes a second HTTP GET request when opening a PDF document in Edge. See:



In these write ups, the authors have focused on the issue of the second request, which while annoying, wasteful and slow is not the real problem. The real issue is that the second request is done without passing the ASP.NET SessionId cookie. This makes serving dynamically rendered PDFs using ASP.NET session variables impossible. Ultimately, this is the cause of much suffering and why so many users claim PDFs do not work using Edge. PDFs work fine in Edge, but PDFs that are dynamically rendred by the server using data or authentication tokens stored in session variables do not.

To highlight the issue, I have created the following website:


  1. Browse this link using Chrome or IE.
  2. On the initial page, enter a username and hit submit.
  3. Note that the username (which is stored in a session variable) is displayed on the subsequent page. Also note the ASP.Net Session ID.
  4. Click the “View PDF” link.
  5. A PDF will be rendered and displayed in a new window/tab. Note that the username is correctly displayed in the PDF, and the ASP.Net Session ID matches the session ID listed on the previous page (it’s the same session).

Then . .

  1. Browse to the above link using Edge.
  2. On the initial page, enter a username and hit submit.
  3. Note the session variable username and ASP.Net Session ID is displayed.
  4. Click the “View PDF” link.
  5. Note that in the rendered PDF the username is BLANK and the ASP.Net Session ID DOES NOT match the Session ID listed on the previous page!
  6. Realize Microsoft really screwed the pooch on this.
  7. Get a fix for this into production.

For even more fun, you can use Wireshark to see that when the “View PDF” link is clicked, Edge (unlike other browsers) makes two HTTP GET requests. The first request contains the ASP.NET_SessionId cookie of the current session. The second HTTP GET request does not. Hence, the ASP.NET session information is not available to the server on the second request and the PDF is not rendered correctly (the username session variable is empty).


0 attachments

    Comments and activity

    Nothing to see here! No one has commented on this issue yet.

    You need to sign in to your Microsoft account to add a comment.

    Sign in