I want to set a domain-specific cookies for FireFox and Chrome, something equivalent to InternetSetCookie() API, which takes a URL and a cookie name and value and sets it for all browsers. I have already checked that InternetSetCookie() only works for IE. I'm using C# + .NET 4.0 (desktop app) if that is important.
(just to add some clarification, this is kind of a password manager app that stores user's login/password info for his favorite websites and upon clicking a button in the app, it launches user's default browser, goes to login page of that website, submits username/password in POST fields and simply takes user to his home page. Some of these websites send cookies in response to the login page request that I then need to set before making the subsequent login request).
Related
i have an application which sets a cookie upon authentication, there is a web browser control within this application to navigate a web application which uses this cookie for authentication.
The problem is, if we have the option 'Delete browsing history on exit' along with cookies checked, then when the last instance of IE is closed, the cookie that is being used by my Web browser control is also deleted, inspite of my web browser control being open.
Any suggestions ?
Unfortunately the cookie store is commonly used by IE and the embedded WebBrowser control. If by any means you delete the IE cookies, the ActiveX's cookies will be deleted as well.
In the simulation of logging into a website with C#.
(a banking website specifically ),
Should there be any cookie expected in the POST request HttpWebRequest (if this C# simulation parallels the process of a web browser visiting the site for its first time and logging in)? Do I need to include HttpWebRequest.Headers.Add("Cookie", cookieString) or should the cookie be omitted (since it's a first visit)? According to my understanding, a web browser receives its first cookie after its first visit; the browser doesn't have any cookie to submit when it requests for a website for its first visit. However, the browser will be able to submit cookies for its second visit (and third, etc).
I need to sign in to a site, I can do this via an url such as url.com/ssorequest?parameters=123. If this is typed in the address im signed in in and gets redirected to the portal.
Now Im supposed to do this through a http post request programmatically but I cant get it to work, I get redirected to a sign in form instead of the portal, ie I dont get signed in.
I used Fiddler to find out what the difference between the two methods was. I found that a couple of behind-the-scenes get-requests were different. The browsers get-requests sends cookie data to the server and fiddlers post-request does not.
When I use fiddler to repeat the browsers first call it doesnt send the cookie data either. So it only works when I do it via the browser window. Unless I use breakpoints in fiddler and tamper with the requests to include the cookie data.
Q: Why does it behave differently from the browser with both http post and when the request is done from Fiddler?
Q: Is there any way to tamper with the requests going out programmatically in my C# app without writing my own Fiddler application?
Most probably you have encountered an anti-forgery cookie. It works in a way to ensure that you are signing in using the page that was first requested and loaded in the browser and the cookie is valid for one request only and hence the fiddler will not be able to log in if you run the same request again.
Using C#, you first have to request the sign-in page and get the cookies provided with this page in a cookie container. Next time, when you post the page along with data, you have to make sure that the cookie is attached with the request.
Edit:
Step1: Browse any page on the site. This will initiate the session. It will also give you the session cookie.
Step2: Request the sign in page. send the cookie obtained in step one along with sign in page so that it can recognize the session. This step is critical. At this stage, there can be either of two things depending on the security system site is using. Either it will send a security cookie along with session cookie or it will add a hidden variable in the form along with a value which serves as security token. Make sure that you get this token/cookie.
Step2: Post the login information on the sign in page (or whatever page the form action leads to) along with the cookie/token obtained in step 1. If it is a token, include it in your post data along with login information or if a cookie, add it to request.
How do I redirect url based on register client in c# .net or asp.net 4.0. For example if client registers as "client1" and our website is www.mycompany.com for every page client proceeds should get www.client1.mycompany.com.
More detailed example:
For example another client created is Client2. The pages i have created in general is like
"www.mycompany.com/product.aspx"
"www.mycompany.com/categories.aspx" should be shown as
"www.client2.mycompany.com/product.aspx" and
"www.client2.mycompany.com/categories.aspx" respectively
I have searched on web and found for static pages or using Gloabal.asax during startup of application but haven't found any thing after user logged in.
I have done something similar before in a few sites and there are a couple methods you could use. Assuming that you have a url setup so that all subdomains ( *.url.com) will send any user to your server and you have IIS setup to handle them all (i.e. no host header required, just IP) in the same site you can use one of the following methods:
After login simply send the user to that url. Since .Net won’t care the url the server knows how to render it, then it should be that simple. This assumes all your navigation uses relative paths and you must enable cookie sharing for that domain. This is required if the cookie for login was give on 1.url.com and you send them to 2.url.com You can share cookies in the same domain, requires a little work, but can be done.
Create a generic login page that does a web service request back to the server to see if the user can login. If he or she can have it send back to the browser a command, along with the correct url, that tell the clients browser to post directly to that sites login page (send username, password). This will login them into their site and assign the cookies correctly all from one simple login page. You could even make an external login page that only exists for this purpose. In the end all the generic page did was see if they could login and the sent their credentials to the correct page that did the login. I recommend this be done in a post with ssl for security reasons.
I hope that makes since.
There's a project called UrlRewritingNet which I use - it's pretty old but the source is available so you could recompile it for 4.0.
Link is at http://urlrewriting.net/149/en/home.html
What type of security maintained in any website or web application. After login, Whenever we copy the address from address bar and paste it to the other browser , the page cannot be open or we get redirected directly to login page. But same address can be opened in same browser. So I want to ask that,how the security is maintained and what it called??Thanks in advance.
If you are using Forms Authentication the whole security model is based on cookies. So when a user logs in an authentication cookie is emitted for the session of the browser. This cookie is then sent along on each request. The cookie could be persistent (i.e. stored on the local disk) and will survive browser restarts or it could be not-persistent in which case it only lives in the memory of the browser.
This cookie contains an encrypted value of the currently logged in username, which allows the server to decrypt this cookie and recognize this user.
When you move on another browser, there is no cookie being sent, so from the server's perspective the user is not authenticated and it gets redirected to the login page if he tries to access some protected resource.
Cookie
Browsers work with cookie and authentication is mainly (almost always) done via cookie. The procedure is this way:
You go to a website by entering the URL of the site into the address bar.
Browser checks to see if there is any cookie (key/value pair) set for that URL
If there is any set cookie, browser sends those cookies alongside HTTP Request.
That website checks for that cookie, before letting you see the requested content (before sending you back the response)
If you have the cookie, it responds.
If not, it redirects you to another page (login page) where it can ask your user name and password (most simple authentication mechanism).
When you provide your user name and password, it simply sends you a cookie (authentication cookie).