Session Cookie and HttpWebResponse

[Karsten Grombach]

Hi,

I'm trying the following:
- Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp
3.0 page using https)
- On success redirect to the page (encapsuled in an iframe) supplied by the
remote Webserver

I can successfuly logon but when I redirect to the supplied url, the
webserver does not know me anymore an redirects me back to login page.. I
was told that I need to store the session cookie supplied by the remote
webserver on my webserver, but I don't know how to pass the session cookie
to my my webserver..

Sample Code follows:
Dim urlRed As String = https://book.bla.at/AM/booking/asp/login.asp
Dim wReq As HttpWebRequest = CType(WebRequest.Create(urlRed),
HttpWebRequest)
wReq.ContentType = "application/x-www-form-urlencoded"
wReq.Method = "POST"

Dim sPostData As String = "" & Session.SessionID
sPostData = sPostData & "&USERNAME=" & HttpUtility.UrlEncode("myuser")
sPostData = sPostData & "&password=" & HttpUtility.UrlEncode("mypassword")
sPostData = sPostData & "&language=" & HttpUtility.UrlEncode("DE_AT")

Dim enc As System.Text.Encoding = System.Text.Encoding.UTF8
Dim bPostBuffer As Byte() = enc.GetBytes(sPostData)
wReq.ContentLength = bPostBuffer.Length
Dim streamPostData As Stream = wReq.GetRequestStream()
streamPostData.Write(bPostBuffer, 0, bPostBuffer.Length)
streamPostData.Close()

Dim wResp As HttpWebResponse = CType(wReq.GetResponse(), HttpWebResponse)
Dim responseStream As StreamReader = New
StreamReader(wResp.GetResponseStream(), enc)

' Here I get the correct url to the welcome page encapsuled in html
Dim html As String = responseStream.ReadToEnd()wResp.Close()
responseStream.Close()

Response.Write(html)

Thanks and Regards
Karsten

 

[Philip Q [MVP]]

You can't really pass the session cookie, or any form of cookie. This is
because cookies have certain security on them which means that only the
domain/application that assigned them, can get them (this was at the centre
of a Passport hack a few years ago).
Instead, you can pass the variables in to a querystring on the request, or
you can use a stateserver/sql server to store the cookie data and have both
webservers get the information off that.

 

[Karsten Grombach]

Hi Philip,

Thanks for your reply, but I don't quite understand you...
Using the sateserver/sqlserver is no option as we cannot change the legacy
asp application to use that anymore..
Do I have to pass my current (asp.net ) session ID with the
querystring/postdata to the asp application?
Regards
Karsten

You can't really pass the session cookie, or any form of cookie. This is
because cookies have certain security on them which means that only the
domain/application that assigned them, can get them (this was at the centre
of a Passport hack a few years ago).
Instead, you can pass the variables in to a querystring on the request, or
you can use a stateserver/sql server to store the cookie data and have both
webservers get the information off that.

--
Philip Q
Microsoft MVP [ASP.NET]
http://aspalliance.com/wisemonk/

Hi,

I'm trying the following:
- Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp
3.0 page using https)
- On success redirect to the page (encapsuled in an iframe) supplied by the
remote Webserver

I can successfuly logon but when I redirect to the supplied url, the
webserver does not know me anymore an redirects me back to login page.. I
was told that I need to store the session cookie supplied by the remote
webserver on my webserver, but I don't know how to pass the session cookie
to my my webserver..

Sample Code follows:
Dim urlRed As String = https://book.bla.at/AM/booking/asp/login.asp
Dim wReq As HttpWebRequest = CType(WebRequest.Create(urlRed),
HttpWebRequest)
wReq.ContentType = "application/x-www-form-urlencoded"
wReq.Method = "POST"

Dim sPostData As String = "" & Session.SessionID
sPostData = sPostData & "&USERNAME=" & HttpUtility.UrlEncode("myuser")
sPostData = sPostData & "&password=" & HttpUtility.UrlEncode("mypassword")
sPostData = sPostData & "&language=" & HttpUtility.UrlEncode("DE_AT")

Dim enc As System.Text.Encoding = System.Text.Encoding.UTF8
Dim bPostBuffer As Byte() = enc.GetBytes(sPostData)
wReq.ContentLength = bPostBuffer.Length
Dim streamPostData As Stream = wReq.GetRequestStream()
streamPostData.Write(bPostBuffer, 0, bPostBuffer.Length)
streamPostData.Close()

Dim wResp As HttpWebResponse = CType(wReq.GetResponse(), HttpWebResponse)
Dim responseStream As StreamReader = New
StreamReader(wResp.GetResponseStream(), enc)

' Here I get the correct url to the welcome page encapsuled in html
Dim html As String = responseStream.ReadToEnd()wResp.Close()
responseStream.Close()

Response.Write(html)

Thanks and Regards
Karsten

 

[Karsten Grombach]

when using a proxy page, the solution is quite simple: just add hidden input
fields and submit them to the legacy server..
i don't really like the javascript part, but after having spent an afternoon
and a morning trying to solve this, i won't complain...

thanks all, for helping me!

here my proxpage which gets set to the iframe src attribute..

<%@ Page Language="vb" AutoEventWireup="false"
Codebehind="airmanagerproxy.aspx.vb" Inherits="TestWeb.airmanagerproxy"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>airmanagerproxy</title>
<meta name="GENERATOR" content="Microsoft Visual Studio.NET 7.0">
<meta name="CODE_LANGUAGE" content="Visual Basic 7.0">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema"
content="http://schemas.microsoft.com/intellisense/ie5">
</head>
<body MS_POSITIONING="GridLayout" >
<script language=javascript>
function submitIt()
{

document.proxyForm.action="https://book.bla.at/AM/business/AT/booking/asp/lo
gin.asp";
document.proxyForm.method="POST"

document.proxyForm.submit();

}
window.setTimeout("submitIt()",2000);

</script>
<form id="proxyForm" method="post" runat="server">
</form>
</body>
</html>

CodeBehind:
Imports System.Web.UI.HtmlControls
Public Class airmanagerproxy
Inherits System.Web.UI.Page
#Region " Vom Web Form Designer generierter Code "

'Dieser Aufruf ist für den Web Form-Designer erforderlich.
<System.Diagnostics.DebuggerStepThrough()> Private Sub
InitializeComponent()
End Sub

Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
InitializeComponent()
End Sub
#End Region

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
' Hier Benutzercode zur Seiteninitialisierung einfügen
Me.EnableViewState = False

' create the hiddenfields
' values are still hardcoded
Dim userName As HtmlInputHidden = New HtmlInputHidden()
userName.Name = "USERNAME"
userName.ID = "USERNAME"
userName.Value = "xxx"
Dim password As HtmlInputHidden = New HtmlInputHidden()
password.Name = "password"
password.ID = "password"
password.Value = "xxx"
Dim language As HtmlInputHidden = New HtmlInputHidden()
language.Name = "language"
language.ID = "language"
language.Value = "DE_AT"

' add the hiddenfields to the form
Dim form As Control = Me.FindControl("proxyForm")
form.Controls.Add(userName)
form.Controls.Add(password)
form.Controls.Add(language)

End Sub
End Class