I have 3 different Servers.
On Server A I have a webpage pageA.aspx
On Server B I have a webpage pageFrame.aspx
On Server C I have a Web API controller controllerC.cs
On Server A I have another page pageB.aspx
pageA.aspx and pageB.aspx are different pages on the same website.
pageFrame.aspx is embedded in pageA.aspx as an IFRAME.
pageA.aspx has both the standard ASP.NET authentication and Session cookies, along with other cookies.
pageFrame.aspx picks up these cookies and makes an ajax call to ControllerC.cs and is able to pass these cookies along in the POST Request.
ControllerC.cs now needs to make a POST Request back to Server A by calling pageB.aspx but it needs to pass along the cookies it received in the ajax call from pageFrame.aspx. By doing this it can reach the same session that pageA.aspx was in.
Now pageB.aspx does some processing and replies to the POST request with a ticket(guid). This ticket is then sent back from ControllerC.cs as part of the response to the ajax call to pageFrame.aspx. pageFrame.aspx then submits this ticket to pageA.aspx as a response to the originally request.
PageA.aspx now simply submits back to its web server and can pick up from the session whatever pageB.aspx has placed in the session during its processing.
Now my question is how do i transfer the cookies from pageFrame.aspx's ajax post request in ControllerC.cs to the request it is making to pageB.aspx?
I have been trying to use HttpClient and trying to add the cookies from one request to another but they seem to be in two different namespaces and when i do make a post the cookies aren't picked up and sent. Does anyone know how I can write the code in ControllerC.cs to pick up the cookies in the request made to it from pageFrame.aspx and pass it to the new request it is making to pageB.aspx?
I look forward to and appreciate your help.
Thank you,
Gmat
Related
Let's say I have two websites that live on separate domains, and they have been authenticated with SSO login. I log into the first website and authenticate, and now I decide to visit the second website using a link visible in 1st website. This link redirect to the second website and no credentials needed. (Note that these websites are developed and hosted by some other company and I don't have access to the source code. I have one login credentials and I am expecting to access the page data of second website)
I want to access the websites using .net code. I have done some work and gone up to accessing the link of first website using HTTP requests and cookies which redirects to the second website. But soon after I clicked the link it open domain 2 in new browser tab and generates new session id as well. It doesn't have any connection with first website cookie. But I can access the data of website 2 when I pass the URL and current session id of website 2 manually.
Is there any security mechanism behind SSO login which can be break through to access the common session Id for both website 1 and website 2?How can I find the connection between two domains when they have two session Ids. I can't post the codes here as it have some privacy information of my client.
I solved the problem. There was SAML request and relay state which were sent to login server from both domains. Even though they are not identical, we have to consider them when access the form data. Also with cookies I had to send pls_login_cookietime specifically from the very first request to last request.
Ex:
var cookie =
new
{
pls_login_cookieTime = Cookietime.CookieValue("pls_login_cookieTime"),
pls_login_SimpleSAMLSessionID = HttpUtility.UrlEncode(login.CookieValue("pls_login_SimpleSAMLSessionID")),
TimeOutCheckID = login.CookieValue("TimeOutCheckID"),
pls_login_SimpleSAMLAuthToken = login.CookieValue("pls_login_SimpleSAMLAuthToken"),
pls_login_rememberme =login.CookieValue("pls_login_rememberme")
Here Cookietime and login are two different url accessing where CookieTime is the initial url and login includes the login server url. Even though login doesn't provide response cookie as pls_login_cookieTime, I had to pass it for final url as request headers.
They were very little confusions. If you use tools like fiddler to check http requests you can understand most of the part how they have manged cookies in multiple domains. Rest is in your hand. You have to think little bit hard and differently. But overall it is not difficult. It is just confused only.
I'm sending httpwebrequest to server, and save cookies in environment variable and attach them to requests. I want to know if it is possible to transfer cookies to browser(open some link in browser) and session will preserve.( I authenticate from console, and I want authentication to stay when opening webpage in browser)
I have solved this by implementing API on server, which gives id to append to link, to maintain session.
In the simulation of logging into a website with C#.
(a banking website specifically ),
Should there be any cookie expected in the POST request HttpWebRequest (if this C# simulation parallels the process of a web browser visiting the site for its first time and logging in)? Do I need to include HttpWebRequest.Headers.Add("Cookie", cookieString) or should the cookie be omitted (since it's a first visit)? According to my understanding, a web browser receives its first cookie after its first visit; the browser doesn't have any cookie to submit when it requests for a website for its first visit. However, the browser will be able to submit cookies for its second visit (and third, etc).
Hopefully this is a simple question for someone out there.
Basically upon receiving a request to my MVC controller, I want to:
Add an "Authorization" header to the response
Redirect to another application sitting on another domain
Read the "Authorization" header at this external site.
It appears the act of redirecting, strips out all my custom headers and redirects.
My question, how can I add a new header, AND perform a redirect, AND have that header show up in the headers for the receiving host [at the end of the redirect] to read?
You can't. That's not how HTTP works. First, a "redirect" is just a 301, 302, or (since HTTP 1.1) 307 status code with the Location header set to the URL the client should go to. It's the client that initiates the request to that URL, so you have no control over what headers they send.
Second, HTTP is stateless, so the fact that an Authorization header was sent in some response at some point has zero bearing on anything that happens in any future requests. Web browsers and other HTTP clients skirt around the stateless nature of HTTP by using sessions on the server-side and cookies on the client side. The client sends the cookie to the server with the request. The cookie matches an item in the session store on the server, and the server loads up the data from that session to give the appearance as though state was maintained.
Third, cookies don't work in this situation, because they are domain bound and are not sent along with requests to domains they did not originate from. So, even if you were to create session to maintain the authorization, the other site would never see it.
FWIW, the basic premise here, sharing authentication state with a different domain, is exactly what technologies like OAuth were developed for. So direct future research in that direction.
No - 302 redirect are handled by browser and it will not re-attach headers.
Options:
server side proxy
use cookies instead of other headers (if it is the same domain, not your case per 2)
manual redirect client side (may be ok since you are making AJAX call anyway).
I need to sign in to a site, I can do this via an url such as url.com/ssorequest?parameters=123. If this is typed in the address im signed in in and gets redirected to the portal.
Now Im supposed to do this through a http post request programmatically but I cant get it to work, I get redirected to a sign in form instead of the portal, ie I dont get signed in.
I used Fiddler to find out what the difference between the two methods was. I found that a couple of behind-the-scenes get-requests were different. The browsers get-requests sends cookie data to the server and fiddlers post-request does not.
When I use fiddler to repeat the browsers first call it doesnt send the cookie data either. So it only works when I do it via the browser window. Unless I use breakpoints in fiddler and tamper with the requests to include the cookie data.
Q: Why does it behave differently from the browser with both http post and when the request is done from Fiddler?
Q: Is there any way to tamper with the requests going out programmatically in my C# app without writing my own Fiddler application?
Most probably you have encountered an anti-forgery cookie. It works in a way to ensure that you are signing in using the page that was first requested and loaded in the browser and the cookie is valid for one request only and hence the fiddler will not be able to log in if you run the same request again.
Using C#, you first have to request the sign-in page and get the cookies provided with this page in a cookie container. Next time, when you post the page along with data, you have to make sure that the cookie is attached with the request.
Edit:
Step1: Browse any page on the site. This will initiate the session. It will also give you the session cookie.
Step2: Request the sign in page. send the cookie obtained in step one along with sign in page so that it can recognize the session. This step is critical. At this stage, there can be either of two things depending on the security system site is using. Either it will send a security cookie along with session cookie or it will add a hidden variable in the form along with a value which serves as security token. Make sure that you get this token/cookie.
Step2: Post the login information on the sign in page (or whatever page the form action leads to) along with the cookie/token obtained in step 1. If it is a token, include it in your post data along with login information or if a cookie, add it to request.