Clever Geek Handbook

Is it possible to understand a successful login based on the received cookie?

I am developing a C # application that does this (by the way, this is also my first C # application.):

  • receives registration information from the user (id, pass),
  • opens a new connection HttpWebRequest

    to the ASP.NET web page
  • tries to enter this page with the received [id, pass] tuple. If the login is successful, my object HttpWebRequest

    contains a cookie that will be used to login to another page.

Before requesting the second (secure) page, I want to be sure that the first login succeeds. At first I thought the server was sending the cookie if only on successful login. But this is not the case. :) Can you tell from the received cookie that my login is successful? Or are there any other methods you can suggest me to solve this problem?

Thanks in advance.

0


source to share


3 answers


Thanks for all the answers. Here is my weird solution. :) I am writing this because someone might need it in the future.

The cookies I receive do not contain a specific [name, value] pair, such as [logged, true]. The only thing I get is something like:

Set-Cookie: ASP.NET_SessionId=ah0b2kj40oi0vuufv0mmot35; path=/; HttpOnly\r\n


So, I thought I was in the wrong direction and tried to find another way of analyzing if the login is successful or not. My solution is to use the StatusCode of the response. I figured out that (thnx to Jason comments on the 401 error code) the server responds with an HTTP 302 Found code if the login succeeds. But if the login is unsuccessful, it responds to the same login page (i.e. HTTP 200 OK). So depending on the received HTTP response code, I decide if it's successful or not. Here's some sample code:

//In LoginForm.cs
if (((HttpWebResponse)request.GetResponse()).StatusCode.ToString().Equals("Found"))
            {
                    nextUrl = ((HttpWebResponse)request.GetResponse()).Headers.Get(4);
                    StringBuilder FullUrl = new StringBuilder(this.server_address);
                    FullUrl.Append(nextUrl);
                    this.setSecretURL(FullUrl.ToString());

                    setLoginSuccess(true);
                    // now we can send out cookie along with a request for the protected page
                    request = WebRequest.Create(SECRET_PAGE_URL) as HttpWebRequest;
                    request.CookieContainer = cookies;
                    StreamReader responseReader = new StreamReader(request.GetResponse().GetResponseStream());

                    // and read the response
                    result = responseReader.ReadToEnd();
                    responseReader.Close();

     } else 
     {
          setLoginSuccess(false);                   
     }
+2


source


If the user is not logged in, the web server should return a 401 error code



+1


source


I would do one of two things.

  • Instead of using an aspx page, I can use a web service. The webservice login method will return an xml response that will tell you if the login was successful, besides the fact that you provided you with a cookie. (Some StackOverflowers may disagree with the use of cookies with web services, but I love them.)

  • Your login page might be more of an API. Let's say your url looks like this:

    http://mywebsite.com/api.aspx?method=login&userid=sampleuser&password=password

    In the html response, you can send a response message which can be either plain text or xml. For example, on a results page, you can simply say "success". Your C # application can read this and see that you are successfully logged in.

    Note. You probably want to send the username and password on a POST request, and possibly migrate the password before submitting.

Good luck!

0


source






More articles:


All Articles