Session Cookie and HttpWebResponse

[Karsten Grombach]

Hi,

I'm trying the following:
- Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp
3.0 page using https)
- On success redirect to the page (encapsuled in an iframe) supplied by the
remote Webserver

I can successfuly logon but when I redirect to the supplied url, the
webserver does not know me anymore an redirects me back to login page.. I
was told that I need to store the session cookie supplied by the remote
webserver on my webserver, but I don't know how to pass the session cookie
to my my webserver..

Sample Code follows:
Dim urlRed As String = [url]https://book.bla.at/AM/booking/asp/login.asp[/url]
Dim wReq As HttpWebRequest = CType(WebRequest.Create(urlRed),
HttpWebRequest)
wReq.ContentType = "application/x-www-form-urlencoded"
wReq.Method = "POST"

Dim sPostData As String = "" & Session.SessionID
sPostData = sPostData & "&USERNAME=" & HttpUtility.UrlEncode("myuser")
sPostData = sPostData & "&password=" & HttpUtility.UrlEncode("mypassword")
sPostData = sPostData & "&language=" & HttpUtility.UrlEncode("DE_AT")

Dim enc As System.Text.Encoding = System.Text.Encoding.UTF8
Dim bPostBuffer As Byte() = enc.GetBytes(sPostData)
wReq.ContentLength = bPostBuffer.Length
Dim streamPostData As Stream = wReq.GetRequestStream()
streamPostData.Write(bPostBuffer, 0, bPostBuffer.Length)
streamPostData.Close()

Dim wResp As HttpWebResponse = CType(wReq.GetResponse(), HttpWebResponse)
Dim responseStream As StreamReader = New
StreamReader(wResp.GetResponseStream(), enc)

' Here I get the correct url to the welcome page encapsuled in html
Dim html As String = responseStream.ReadToEnd()wResp.Close()
responseStream.Close()

Response.Write(html)

Thanks and Regards
Karsten

[Philip Q [MVP]]

You can't really pass the session cookie, or any form of cookie. This is
because cookies have certain security on them which means that only the
domain/application that assigned them, can get them (this was at the centre
of a Passport hack a few years ago).
Instead, you can pass the variables in to a querystring on the request, or
you can use a stateserver/sql server to store the cookie data and have both
webservers get the information off that.

--
Philip Q
Microsoft MVP [ASP.NET]
[url]http://aspalliance.com/wisemonk/[/url]

"Karsten Grombach" <aykarsino@spamumluex.de> wrote in message
news:ei4$SrOUDHA.2036@TK2MSFTNGP10.phx.gbl...

> Hi,
>
> I'm trying the following:
> - Imitate a Logon using a Post with HttpWebRequest on remote Webserver

(asp

> 3.0 page using https)
> - On success redirect to the page (encapsuled in an iframe) supplied by

the

> remote Webserver
>
> I can successfuly logon but when I redirect to the supplied url, the
> webserver does not know me anymore an redirects me back to login page.. I
> was told that I need to store the session cookie supplied by the remote
> webserver on my webserver, but I don't know how to pass the session cookie
> to my my webserver..
>
> Sample Code follows:
> Dim urlRed As String = [url]https://book.bla.at/AM/booking/asp/login.asp[/url]
> Dim wReq As HttpWebRequest = CType(WebRequest.Create(urlRed),
> HttpWebRequest)
> wReq.ContentType = "application/x-www-form-urlencoded"
> wReq.Method = "POST"
>
> Dim sPostData As String = "" & Session.SessionID
> sPostData = sPostData & "&USERNAME=" & HttpUtility.UrlEncode("myuser")
> sPostData = sPostData & "&password=" & HttpUtility.UrlEncode("mypassword")
> sPostData = sPostData & "&language=" & HttpUtility.UrlEncode("DE_AT")
>
> Dim enc As System.Text.Encoding = System.Text.Encoding.UTF8
> Dim bPostBuffer As Byte() = enc.GetBytes(sPostData)
> wReq.ContentLength = bPostBuffer.Length
> Dim streamPostData As Stream = wReq.GetRequestStream()
> streamPostData.Write(bPostBuffer, 0, bPostBuffer.Length)
> streamPostData.Close()
>
> Dim wResp As HttpWebResponse = CType(wReq.GetResponse(), HttpWebResponse)
> Dim responseStream As StreamReader = New
> StreamReader(wResp.GetResponseStream(), enc)
>
> ' Here I get the correct url to the welcome page encapsuled in html
> Dim html As String = responseStream.ReadToEnd()wResp.Close()
> responseStream.Close()
>
> Response.Write(html)
>
> Thanks and Regards
> Karsten
>
>

[Karsten Grombach]

Hi Philip,

Thanks for your reply, but I don't quite understand you...
Using the sateserver/sqlserver is no option as we cannot change the legacy
asp application to use that anymore..
Do I have to pass my current (asp.net ) session ID with the
querystring/postdata to the asp application?
Regards
Karsten


"Philip Q [MVP]" <wisemonk@mvps.org> schrieb im Newsbeitrag
news:eeUgR%23PUDHA.2088@TK2MSFTNGP10.phx.gbl...

> You can't really pass the session cookie, or any form of cookie. This is
> because cookies have certain security on them which means that only the
> domain/application that assigned them, can get them (this was at the

centre

> of a Passport hack a few years ago).
> Instead, you can pass the variables in to a querystring on the request, or
> you can use a stateserver/sql server to store the cookie data and have

both

> webservers get the information off that.
>
> --
> Philip Q
> Microsoft MVP [ASP.NET]
> [url]http://aspalliance.com/wisemonk/[/url]
>
> "Karsten Grombach" <aykarsino@spamumluex.de> wrote in message
> news:ei4$SrOUDHA.2036@TK2MSFTNGP10.phx.gbl...

> > Hi,
> >
> > I'm trying the following:
> > - Imitate a Logon using a Post with HttpWebRequest on remote Webserver

> (asp

> > 3.0 page using https)
> > - On success redirect to the page (encapsuled in an iframe) supplied by

> the

> > remote Webserver
> >
> > I can successfuly logon but when I redirect to the supplied url, the
> > webserver does not know me anymore an redirects me back to login page..

I

> > was told that I need to store the session cookie supplied by the remote
> > webserver on my webserver, but I don't know how to pass the session

cookie

> > to my my webserver..
> >
> > Sample Code follows:
> > Dim urlRed As String = [url]https://book.bla.at/AM/booking/asp/login.asp[/url]
> > Dim wReq As HttpWebRequest = CType(WebRequest.Create(urlRed),
> > HttpWebRequest)
> > wReq.ContentType = "application/x-www-form-urlencoded"
> > wReq.Method = "POST"
> >
> > Dim sPostData As String = "" & Session.SessionID
> > sPostData = sPostData & "&USERNAME=" & HttpUtility.UrlEncode("myuser")
> > sPostData = sPostData & "&password=" &

HttpUtility.UrlEncode("mypassword")

> > sPostData = sPostData & "&language=" & HttpUtility.UrlEncode("DE_AT")
> >
> > Dim enc As System.Text.Encoding = System.Text.Encoding.UTF8
> > Dim bPostBuffer As Byte() = enc.GetBytes(sPostData)
> > wReq.ContentLength = bPostBuffer.Length
> > Dim streamPostData As Stream = wReq.GetRequestStream()
> > streamPostData.Write(bPostBuffer, 0, bPostBuffer.Length)
> > streamPostData.Close()
> >
> > Dim wResp As HttpWebResponse = CType(wReq.GetResponse(),

HttpWebResponse)

> > Dim responseStream As StreamReader = New
> > StreamReader(wResp.GetResponseStream(), enc)
> >
> > ' Here I get the correct url to the welcome page encapsuled in html
> > Dim html As String = responseStream.ReadToEnd()wResp.Close()
> > responseStream.Close()
> >
> > Response.Write(html)
> >
> > Thanks and Regards
> > Karsten
> >
> >

>

[Karsten Grombach]

when using a proxy page, the solution is quite simple: just add hidden input
fields and submit them to the legacy server..
i don't really like the javascript part, but after having spent an afternoon
and a morning trying to solve this, i won't complain...

thanks all, for helping me!

here my proxpage which gets set to the iframe src attribute..

<%@ Page Language="vb" AutoEventWireup="false"
Codebehind="airmanagerproxy.aspx.vb" Inherits="TestWeb.airmanagerproxy"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>airmanagerproxy</title>
<meta name="GENERATOR" content="Microsoft Visual Studio.NET 7.0">
<meta name="CODE_LANGUAGE" content="Visual Basic 7.0">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema"
content="http://schemas.microsoft.com/intellisense/ie5">
</head>
<body MS_POSITIONING="GridLayout" >
<script language=javascript>
function submitIt()
{

document.proxyForm.action="https://book.bla.at/AM/business/AT/booking/asp/lo
gin.asp";
document.proxyForm.method="POST"

document.proxyForm.submit();

}
window.setTimeout("submitIt()",2000);

</script>
<form id="proxyForm" method="post" runat="server">
</form>
</body>
</html>

CodeBehind:
Imports System.Web.UI.HtmlControls
Public Class airmanagerproxy
Inherits System.Web.UI.Page
#Region " Vom Web Form Designer generierter Code "

'Dieser Aufruf ist für den Web Form-Designer erforderlich.
<System.Diagnostics.DebuggerStepThrough()> Private Sub
InitializeComponent()
End Sub

Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Init
'CODEGEN: Diese Methode ist für den Web Form-Designer erforderlich
'Verwenden Sie nicht den Code-Editor zur Bearbeitung.
InitializeComponent()
End Sub
#End Region

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
' Hier Benutzercode zur Seiteninitialisierung einfügen
Me.EnableViewState = False

' create the hiddenfields
' values are still hardcoded
Dim userName As HtmlInputHidden = New HtmlInputHidden()
userName.Name = "USERNAME"
userName.ID = "USERNAME"
userName.Value = "xxx"
Dim password As HtmlInputHidden = New HtmlInputHidden()
password.Name = "password"
password.ID = "password"
password.Value = "xxx"
Dim language As HtmlInputHidden = New HtmlInputHidden()
language.Name = "language"
language.ID = "language"
language.Value = "DE_AT"

' add the hiddenfields to the form
Dim form As Control = Me.FindControl("proxyForm")
form.Controls.Add(userName)
form.Controls.Add(password)
form.Controls.Add(language)

End Sub
End Class





"John Saunders" <john.saunders@surfcontrol.com> schrieb im Newsbeitrag
news:%23gl5RoQUDHA.612@TK2MSFTNGP12.phx.gbl...

> Sorry, I don't think you can do what you want to do in the way you want to
> do it.
>
> Work it out step by step. Let's call the client browser machine A, your
> ASP.NET server machine B, and the legacy server machine C. A makes some
> request to B. B logs into C and gets a cookie sent back to it by C.
>
> BTW, I don't see you storing that cookie. Look into the CookieContainer
> class.
>
> So, B figures out where C redirected it to then puts that URL into the SRC
> attribute of an IFRAME and sends it to A. A then requests that URL but

does

> not send to C the cookie which C sent to B, which isn't surprising because

B

> didn't store it, and certainly didn't send it to A, and if it had sent it

to

> A, then A wouldn't know to send it to C, which A has never heard of!
>
> It sounds like you're going to need some sort of proxy page running on B.
> You'd have to store the cookie you get during login to C into Session

state

> on B, then send your user an IFRAME pointing to your proxy on B, with the
> real URL as a query parameter. The proxy would load up the CookieContainer
> from Session state, request the legacy page (from the query parameter) via

a

> WebRequest, and then return the output back to A.
>
> You will similarly want to use a CookieContainer in that proxy page, and
> store any new cookies in Session state for use in subsequent requests

during

> the same session.
>
> Note that this analysis totally ignores any issues with SSL, as it's too
> early in the morning for that!
>
> Also note that this might be a good job for an HttpHandler on B, as the
> "proxy page" isn't really a page (it wouldn't have any controls on it).
>
> Good Luck. THis sounds like a generally-useful piece of functionality

you're

> going to implement. Let us know how it works out.
> --
> John Saunders
> Internet Engineer
> [email]john.saunders@surfcontrol.com[/email]
>
>
> "Karsten Grombach" <aykarsino@spamumluex.de> wrote in message
> news:ei4$SrOUDHA.2036@TK2MSFTNGP10.phx.gbl...

> > Hi,
> >
> > I'm trying the following:
> > - Imitate a Logon using a Post with HttpWebRequest on remote Webserver

> (asp

> > 3.0 page using https)
> > - On success redirect to the page (encapsuled in an iframe) supplied by

> the

> > remote Webserver
> >
> > I can successfuly logon but when I redirect to the supplied url, the
> > webserver does not know me anymore an redirects me back to login page..

I

> > was told that I need to store the session cookie supplied by the remote
> > webserver on my webserver, but I don't know how to pass the session

cookie

> > to my my webserver..
> >
> > Sample Code follows:
> > Dim urlRed As String = [url]https://book.bla.at/AM/booking/asp/login.asp[/url]
> > Dim wReq As HttpWebRequest = CType(WebRequest.Create(urlRed),
> > HttpWebRequest)
> > wReq.ContentType = "application/x-www-form-urlencoded"
> > wReq.Method = "POST"
> >
> > Dim sPostData As String = "" & Session.SessionID
> > sPostData = sPostData & "&USERNAME=" & HttpUtility.UrlEncode("myuser")
> > sPostData = sPostData & "&password=" &

HttpUtility.UrlEncode("mypassword")

> > sPostData = sPostData & "&language=" & HttpUtility.UrlEncode("DE_AT")
> >
> > Dim enc As System.Text.Encoding = System.Text.Encoding.UTF8
> > Dim bPostBuffer As Byte() = enc.GetBytes(sPostData)
> > wReq.ContentLength = bPostBuffer.Length
> > Dim streamPostData As Stream = wReq.GetRequestStream()
> > streamPostData.Write(bPostBuffer, 0, bPostBuffer.Length)
> > streamPostData.Close()
> >
> > Dim wResp As HttpWebResponse = CType(wReq.GetResponse(),

HttpWebResponse)

> > Dim responseStream As StreamReader = New
> > StreamReader(wResp.GetResponseStream(), enc)
> >
> > ' Here I get the correct url to the welcome page encapsuled in html
> > Dim html As String = responseStream.ReadToEnd()wResp.Close()
> > responseStream.Close()
> >
> > Response.Write(html)
> >
> > Thanks and Regards
> > Karsten
> >
> >

>
>