I'm sending httpwebrequest to server, and save cookies in environment variable and attach them to requests. I want to know if it is possible to transfer cookies to browser(open some link in browser) and session will preserve.( I authenticate from console, and I want authentication to stay when opening webpage in browser)
I have solved this by implementing API on server, which gives id to append to link, to maintain session.
Related
I am developing an app with Xamarin.iOS and I need to log into my website. For now I managed to send a hardcoded cookie to the login page of the website and it logs me in. This is my first problem: how can I log in, without sending a hardcoded cookie?
And second: In the login function from the website, there are set some session vars and I need to access them in the app, but I have no idea how to do it.
Does anyone has some insight over this?
“This is my first problem: how can I log in, without sending a hardcoded cookie?” – you need to send a http request with appropriate post parameters and then application will send back the login cookie you can use for subsequent requests. Not sure how to do this in Xamarin.iOS though.
“And second: In the login function from the website, there are set some session vars and I need to access them in the app, but I have no idea how to do it.” – Short answer is you can’t. I’d suggest using query string as Rahul already suggested or creating a web service you can use instead.
I need to sign in to a site, I can do this via an url such as url.com/ssorequest?parameters=123. If this is typed in the address im signed in in and gets redirected to the portal.
Now Im supposed to do this through a http post request programmatically but I cant get it to work, I get redirected to a sign in form instead of the portal, ie I dont get signed in.
I used Fiddler to find out what the difference between the two methods was. I found that a couple of behind-the-scenes get-requests were different. The browsers get-requests sends cookie data to the server and fiddlers post-request does not.
When I use fiddler to repeat the browsers first call it doesnt send the cookie data either. So it only works when I do it via the browser window. Unless I use breakpoints in fiddler and tamper with the requests to include the cookie data.
Q: Why does it behave differently from the browser with both http post and when the request is done from Fiddler?
Q: Is there any way to tamper with the requests going out programmatically in my C# app without writing my own Fiddler application?
Most probably you have encountered an anti-forgery cookie. It works in a way to ensure that you are signing in using the page that was first requested and loaded in the browser and the cookie is valid for one request only and hence the fiddler will not be able to log in if you run the same request again.
Using C#, you first have to request the sign-in page and get the cookies provided with this page in a cookie container. Next time, when you post the page along with data, you have to make sure that the cookie is attached with the request.
Edit:
Step1: Browse any page on the site. This will initiate the session. It will also give you the session cookie.
Step2: Request the sign in page. send the cookie obtained in step one along with sign in page so that it can recognize the session. This step is critical. At this stage, there can be either of two things depending on the security system site is using. Either it will send a security cookie along with session cookie or it will add a hidden variable in the form along with a value which serves as security token. Make sure that you get this token/cookie.
Step2: Post the login information on the sign in page (or whatever page the form action leads to) along with the cookie/token obtained in step 1. If it is a token, include it in your post data along with login information or if a cookie, add it to request.
I'm writing an application which displays a login form before it loads, and it sends a POST request to a web application which I previously developed.
I can send login details off and get returned a 200 message and can recieve data within that request. However I now wish to store this login after the application has closed, to allow the user to not have to login every time they open the application, or in this case when the computer is restarted. (It will run at boot however needs to maintain an application and not a WCF service)
I'm using HTTPWebRequest in C# to handle POST requests to the server, and I can make cookies on the server side. How do I let my application know about these cookies and store them in a secure way to allow persistent login for my entire application? I've looked at a number of ways to store cookies in C# such as these two links:
http://www.c-sharpcorner.com/uploadfile/mahesh/managing-cookies-in-a-wpf-application/
http://msdn.microsoft.com/en-us/library/dd920298(v=vs.95).aspx
However the code in the first link gave me an odd cookie:
"CSCUser2=test-username; android_developer_C:_width=243px; __utma=1.1718972007.1316996246.1316996246.1316996246.1; __utmz=1.1316996246.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); android_developer_reference_lastpage=/C:/AndroidSDK/android-sdk-windows/docs/reference/android/speech/RecognizerIntent.html"
So I'm not sure if that approach is best? Any pointers would be appreciated.
I think the CookieContainer (i.e. the MSDN link) is the correct way to set and get cookies (By the way: note that your question has nothing to do with wpf or mvvm patter. It is a general c# /.net/httpwebreuqest topic).
As for caching credentials on the user machine which can be used in subsequent sessions - there are several ways to do this. You can either store the user password in a secure location, or you can store a session key sent to you from the server. The advantage of the second method is that the session key is limited in time (e.g. one week), and after that they user will have to perform a new login. The session key can be delivered to you from the server out of band as a cookie, or with a specific API. Web applications are using cookies because they have no access to any persistent store, but your wpf application can store the password or the session key anywhere it wants.
I recommend you use the DPAPI to persist secrets on the user computer. Google for c# and DPAPI to see how to do it in .net.
Using Web Browser control or http request in C#, when a website creates a cookie (or tries to), is there a way to capture and display that cookie?
Yes, cookies are returned in the Set-Cookie header. You can use the HttpWebResponse.Headers collection to look through all of the headers and read out the cookies, or there's also the Cookies collection which wraps it for you.
Sure, you can use a tool like Fiddler or FireBug to capture and inspect the requests and responses sent during your session. I'm more familiar with Fiddler, so I'm basing my answer and example on it.
For example, if I log in to my company's Outlook Web Access portal, I enter my user name and password, and the OWA client writes a session cookie to my machine. If I have Fiddler running while I log in, I can see this cookie being written as part of the response from the server due to a successful log in:
**Cookies / Login**
Set-Cookie: sessionid=d8ff0256-7339-4049-81c2-fae98f7c3ed5:0x409; path=/
If there are more cookies being sent down, you'll see them listed under the Cookies group.
I can see these cookies if I click on the resource that was requested (the page that I'm taken to after successful login), and then click on the Headers tab in the Response section of Fiddler.
Hope this helps!
I'm using WPF and C#.
I want to be able to launch a browser window, most likely IE, and provide known credentials so that the Windows-based application can handle the transition from itself to an outside browser without having the user enter his/her credentials again.
I do know how to launch the browser:
System.Diagnostics.Process.Start(url);
My main question is, how can I attach authentication to that? Perhaps by adding headers to it somehow?
Lastly, I don't really want to use the new WebBrowser control inside of WPF due to it's current problems with displaying with a transparent window.
1) You have to know how to "log in".
To do this login manually in the web application and trace the http traffic with http debugger like Fiddler. Pay attention what kind of http requests are sent, what names have the parameters, etc.
Once you know what sequence of http requests has to be send to log in you has to do this with the browser.
2) Implement log in automatically
2.1) If by any chance log in happens via http GET - just append the right query string to the url and start the browser. This could happen only if you control the web application and build in this mechanism, other wise log in is almost always implemented as POST with https.
2.2) If you have to do POST request you have several options:
2.2.1) You could provide local html document, that contains javascript and make ajax call to the login form from the javascript. To pass the parameters you could use get parameters.
2.2.2) If nothing else works you will have to use the browser via COM (WebBrowser control)
It's going to depend on how the web site handles user authentication. If you own the website, you can create a url that will log the user in with the information you provide.
Nick,
The authentication will be handled in different ways: -
Proxy Authentication is handled by Windows manually.
Forms Based authentication is handled by cookies, so the user needs to have the cookies present.
Windows NTML might be in the 'keychain' on the Operating system (Remember this password).
Cheers,
Phil.