Our network: SubMain() | vbCity Developer Community | vbCity Blogs | DevCity.NET
/Home /Archive /Syndicate /Blog /Support /About /Contact  
All Visual Basic Feeds in one place!
 
[advanced search]

Menu

Community

Feeds
vbCity (VB)
Microsoft (VB)
Personal (VB)

Legal Note
The content of the postings is owned by the respective author. vbfeeds.com is not responsible for the contents of the postings. This site is automatically generated and cannot be reviewed for abusive content. If you find abusive content on vbfeeds.com, please contact us at abuse@vbfeeds.com and we will remove it. Designated trademarks and brands are the property of their respective owners. vbfeeds.com Copyright © 2005 Serge Baranovsky. All rights reserved.

Tuesday, September 27, 2005
Logging into a website that maintains session based security
by Mark Dryden via Drydo (Mark Dryden) on 9/27/2005 9:28:00 AM

An awful lot of dynamic websites have some kind of login facility where the user provides a username / password to gain access to more juicier / functionality elements of the website. A typical approach to log an actual user being authenicated is to set a flag / variable or whatever in the session object at the server end. This way, on each page view of the secured website (we) can check the session, determine whether the user is logged in and perform the appropriate actions.

Anyway, a few months ago I produced some code that could successfully log into a site, retreive the redirect location BUT it wouldn't successfully perform the navigate as I couldn't pass over the session ID generated by the initial request. Well, after a couple of weeks of Flash and Web Development I decided to revisit this one that used the HTTPWebResponse and HTTPWebRequest objects...

Firstly, I created a quick ASP (old) site using a login page where the user can authenicate and if successful, it stores a variable in the session for that user confirming a successful login before navigating to my 'secured' content. Secondly, because I'm fudging the interaction of the login request - I'm going to communicate directly with the login form's ACTION url - therefore, if you emulate this you will need to dig around in the HTML source of the login form to retreive the location of the login script and the relevant field names.

So - the theory is....

  • Create a new HTTPWebRequest that sends the appropriate login data via a POST request.
  • Create an empty CookieContainer to pass with the initial request.
  • Prevent the request from performing any automatic redirects.
  • Retreive the HTTPWebResponse from the server, parse the redirect location and copy the 'cookies' objects from the response and add to the CookieContainer for future requests.
  • Perform the 'redirect' navigation (using a GET) passing the cookie container (with the added cookie objects)

And that's pretty much it. Now surprisingly the thing I was missing was setting the initial request with a valid CookieContainer object (as opposed to the default of nothing) - retreiving the cookie container from the response object and setting the subsequent request with the same CookieContainer and thus passing the session ID and other details along. Note: this isn't production code so I don't expect to see this on www.thedailywtf.com ;-)

Code Copy HideScrollFull
' Set the initial parameters
        Dim UserID As String = "myUsername" ' Username
        Dim PWord As String = "myPassword" ' Password
        Dim domain As String = "http://myDomain/secure"
        Dim encoding As New System.Text.ASCIIEncoding
        Dim CookieC As New Net.CookieContainer

        ' Use the appropriate HTML field names to stuff into the post header
        Dim PostData As String = _
            "txtUName=" & UserID & _
            "&txtPWord=" & PWord ' Note: where txtUName & txtPWord are the field names
        Dim Data() As Byte = encoding.GetBytes(PostData)

        ' Initialise the request
        Dim LoginReq As Net.HttpWebRequest = Net.WebRequest.Create(domain & "default.asp") ' Login location taken from the form action
        With LoginReq
            .KeepAlive = False
            .Method = "POST"
            ' Note: if the page uses a redirect if will fail
            .AllowAutoRedirect = False
            .ContentType = "application/x-www-form-urlencoded"
            .ContentLength = Data.Length
            ' Set empty container
            .CookieContainer = CookieC
        End With

        ' Add the POST data
        Dim SendReq As IO.Stream = LoginReq.GetRequestStream
        SendReq.Write(Data, 0, Data.Length)
        SendReq.Close()

        ' Obtain the response
        Dim LoginRes As Net.HttpWebResponse = LoginReq.GetResponse()

        ' Retreive the headers from the request (e.g. the location header)
        Dim Redirect As String = LoginRes.Headers("Location")
        ' Add any returned cookies to the cookie collection
        CookieC.Add(LoginRes.Cookies)

        ' Move to the redirected page as a GET request...
        LoginReq = Net.WebRequest.Create(domain & Redirect)
        With LoginReq
            .KeepAlive = False
            .Method = "GET"
            .ContentType = "application/x-www-form-urlencoded"
            .AllowAutoRedirect = True
            .CookieContainer = CookieC
        End With

        ' Perform the navigate and output the HTML
        LoginRes = LoginReq.GetResponse()
        Dim sReader As IO.StreamReader = New IO.StreamReader(LoginRes.GetResponseStream)
        Dim HTML As String = sReader.ReadToEnd
        Debug.Write(HTML)
. . .

Have fun - M
6 comment(s)
Original Post: http://blogs.vbcity.com/drydo/archive/2005/09/27/5556.aspx
© 2005 Serge Baranovsky. All rights reserved.
All feed content is property of original publisher. Designated trademarks and brands are the property of their respective owners.

This site is maintained by SubMain(), a division of vbCity.com, LLC