4

Okay I tried asking this question yesterday but i'm not sure if I gave enough info, i got an answer but it hasn't worked for me. Basically what i'm doing is the user opens this windows forms application and logs in. Afterwhich they enter some text into a textbox and click run. At this point the run function is making a webrequest to a server that requires a login (the login that is initially done after they open the program. For some reason its still not seeing that the user is logged in when performing the second request even though the cookies are added too a cookie container. I'm not sure what i'm doing wrong but I will post my code so you can further help me.

This is the function that is performed for the login when the user enters the application.

private void button1_Click(object sender, EventArgs e)
{
    string paramaters = "authmethod=on&chkRememberMe=on&login-form-type=pwd&password=" + pw.Text + "&userid=" + uid.Text + "&username=" + uid.Text;
    string strResponse;
    HttpWebRequest requestLogin = (HttpWebRequest)WebRequest.Create("https://www.url.com/login.form");
    requestLogin.Method = "POST";
    requestLogin.CookieContainer = cookieJar;
    requestLogin.ContentType = "application/x-www-form-urlencoded";

    requestLogin.ContentLength = paramaters.Length;
    StreamWriter stOut = new StreamWriter(requestLogin.GetRequestStream(), System.Text.Encoding.ASCII);
    stOut.Write(paramaters);
    stOut.Close();

    HttpWebResponse responseLogin = (HttpWebResponse)requestLogin.GetResponse();
    StreamReader stIn = new StreamReader(responseLogin.GetResponseStream());
    strResponse = stIn.ReadToEnd();
    stIn.Close();

    //Add cookies to CookieJar (Cookie Container)
    foreach (Cookie cookie in responseLogin.Cookies)
    {
        cookieJar.Add(new Cookie(cookie.Name.Trim(), cookie.Value.Trim(), cookie.Path, cookie.Domain));
        richTextBox2.Text += cookie.Name.ToString() + Environment.NewLine + cookie.Value.ToString() + Environment.NewLine + cookie.Path.ToString() + Environment.NewLine + cookie.Domain.ToString();
    }

    if (strResponse.Contains("Log On Successful") || strResponse.Contains("already has a webseal session"))
    {
        foreach (Control cont in this.Controls)
        {
            cont.Visible = true;
        }
        loginPanel.SendToBack();
        loginPanel.Visible = false;
    }
    else
    {
        MessageBox.Show("Login failed.");
    }
}

This is the function that is ran when the user clicks the "run" button to initiate the tests on a consumer account.

private string runTestRequest(Uri url, string parameters)
{
    string testResults = string.Empty;
    HttpWebRequest runTest = (HttpWebRequest)WebRequest.Create(url);
    runTest.CookieContainer = cookieJar;
    runTest.Method = "POST";
    runTest.ContentType = "application/x-www-form-urlencoded";
    StreamWriter stOut = new StreamWriter(runTest.GetRequestStream(), System.Text.Encoding.ASCII);
    stOut.Write(parameters);
    stOut.Close();
    StreamReader stIn = new StreamReader(runTest.GetResponse().GetResponseStream());
    testResults = stIn.ReadToEnd();
    stIn.Close();
    return testResults;
}

And of course this is my cookie container object

public CookieContainer cookieJar = new CookieContainer();

P.S.: The domains of the webrequests are different. First being abc.com 2nd being 123.com The only problem is that the first domain (which is the login) is a global login for internal web applications like 123.com, so how would i use the login session from the 1st domain with the 2nd domain?

Can you please assist in helping me figure out what I am doing wrong.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Alex
  • 2,114
  • 9
  • 25
  • 34
  • Without having access to either of the sites and seeing how they handle the session I would presume the first passes a token to the second acknowledging it's authorized and accepted. Is there a URL forward you're not seeing or something? May also recommend using Firefox/TamperData to see all transactions and see if you are in-fact duplicating everything it's performing. Edit: Also, I doubt cookies are the token, though I could be wrong, as this would be an XSS attack. There's got to be something either post/get data that's being handed off somewhere. – Brad Christie Nov 12 '10 at 16:00

2 Answers2

1
string url = "http://www.ABC/MemberShip/Login.aspx";// HttpContext.Current.Request.Url.AbsoluteUri.ToString().Replace("AutoLogin", "Login");
CookieContainer myCookieContainer = new CookieContainer();
HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest;
request.CookieContainer = myCookieContainer;
request.Method = "GET";
request.KeepAlive = false;

HttpWebResponse response = request.GetResponse() as HttpWebResponse;

System.IO.Stream responseStream = response.GetResponseStream();
System.IO.StreamReader reader = new System.IO.StreamReader(responseStream, Encoding.UTF8);
string srcString = reader.ReadToEnd();

// get the page ViewState                
string viewStateFlag = "id=\"__VIEWSTATE\" value=\"";
int i = srcString.IndexOf(viewStateFlag) + viewStateFlag.Length;
int j = srcString.IndexOf("\"", i);
string viewState = srcString.Substring(i, j - i);

// get page EventValidation                
string eventValidationFlag = "id=\"__EVENTVALIDATION\" value=\"";
i = srcString.IndexOf(eventValidationFlag) + eventValidationFlag.Length;
j = srcString.IndexOf("\"", i);
string eventValidation = srcString.Substring(i, j - i);

string submitButton = "LoginButton";

// UserName and Password
string userName = "userid";
string password = "password";
// Convert the text into the url encoding string
viewState = System.Web.HttpUtility.UrlEncode(viewState);
eventValidation = System.Web.HttpUtility.UrlEncode(eventValidation);
submitButton = System.Web.HttpUtility.UrlEncode(submitButton);

// Concat the string data which will be submit
string formatString =
         "txtUserName={0}&txtPassword={1}&btnSignIn={2}&__VIEWSTATE={3}&__EVENTVALIDATION={4}";
string postString =
         string.Format(formatString, userName, password, submitButton, viewState, eventValidation);

// Convert the submit string data into the byte array
byte[] postData = Encoding.ASCII.GetBytes(postString);

// Set the request parameters
request = WebRequest.Create(url) as HttpWebRequest;
request.Method = "POST";
request.Referer = url;
request.KeepAlive = false;
request.UserAgent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; CIBA)";
request.ContentType = "application/x-www-form-urlencoded";
request.CookieContainer = myCookieContainer;
System.Net.Cookie ck = new System.Net.Cookie("TestCookie1", "Value of test cookie");
ck.Domain = request.RequestUri.Host;
request.CookieContainer.Add(ck);
request.CookieContainer.Add(response.Cookies);

request.ContentLength = postData.Length;

// Submit the request data
System.IO.Stream outputStream = request.GetRequestStream();
request.AllowAutoRedirect = true;
outputStream.Write(postData, 0, postData.Length);
outputStream.Close();


// Get the return data
response = request.GetResponse() as HttpWebResponse;
responseStream = response.GetResponseStream();
reader = new System.IO.StreamReader(responseStream, Encoding.UTF8);
srcString = reader.ReadToEnd();
Response.Write(srcString);
Response.End();
Tisho
  • 8,320
  • 6
  • 44
  • 52
Sohail Kamran
  • 99
  • 1
  • 2
1

I found out that what was happening was it was redircting to a subdomain on the same domain as the 2nd (123.com) to use the login. Evidently they had this global login system built on the multiple domains to pass the cookies. The code above DOES work and i do have it working now. Thanks!!

Alex
  • 2,114
  • 9
  • 25
  • 34