HttpWebRequest and Forms Authentication

Discussion in 'ASP .Net Security' started by Matthew Judd, Oct 21, 2004.

  1. Matthew Judd

    Matthew Judd Guest

    I am using Forms Authentication on my site, this process mostly works fine.
    The problem I am having is that I have a page that uses an HttpWebRequest
    object to get the html generated from one of the aspx pages within my site,
    which it then emails to somebody. The problem I have with this is that the
    email gets the login page instead of the page I requested, because when I do
    the WebRequest it gets sent to the forms authentication login page that I
    have specified. I need to be able to get my WebRequest to bypass the forms
    authentication for this request, but I do not know how. Any suggestions would
    be appreciated.

    Matthew Judd
     
    Matthew Judd, Oct 21, 2004
    #1
    1. Advertising

  2. Matthew Judd

    Jorge Matos Guest

    You probably need to add the Forms Authentication cookie as a http header in
    your request to the other web page. The WebRequest type has a "headers"
    property that you can use to add the Forms Authentication cookie to - then
    when you make the request with the WebRequest object, your forms auth cookie
    will go along for the ride.

    hth
    Jorge

    "Matthew Judd" wrote:

    > I am using Forms Authentication on my site, this process mostly works fine.
    > The problem I am having is that I have a page that uses an HttpWebRequest
    > object to get the html generated from one of the aspx pages within my site,
    > which it then emails to somebody. The problem I have with this is that the
    > email gets the login page instead of the page I requested, because when I do
    > the WebRequest it gets sent to the forms authentication login page that I
    > have specified. I need to be able to get my WebRequest to bypass the forms
    > authentication for this request, but I do not know how. Any suggestions would
    > be appreciated.
    >
    > Matthew Judd
     
    Jorge Matos, Oct 21, 2004
    #2
    1. Advertising

  3. Before that, you will probably need to make a separate request to the
    authentication page and post some credentials so that you can get the cookie
    value to begin with. It may be possible to hardcode a cookie value that
    will work, but generally these things expire, so you'd probably need to get
    one dynamically. Use an HTTP debugger like Fiddler to see the exact format
    of the post so that you can replicate it in code.

    In general, forms auth is not well suited for screen scraping or web
    services-type of authentication. However, you can do it if you really want
    to.

    Joe K.

    "Jorge Matos" <> wrote in message
    news:...
    > You probably need to add the Forms Authentication cookie as a http header
    > in
    > your request to the other web page. The WebRequest type has a "headers"
    > property that you can use to add the Forms Authentication cookie to - then
    > when you make the request with the WebRequest object, your forms auth
    > cookie
    > will go along for the ride.
    >
    > hth
    > Jorge
    >
    > "Matthew Judd" wrote:
    >
    >> I am using Forms Authentication on my site, this process mostly works
    >> fine.
    >> The problem I am having is that I have a page that uses an HttpWebRequest
    >> object to get the html generated from one of the aspx pages within my
    >> site,
    >> which it then emails to somebody. The problem I have with this is that
    >> the
    >> email gets the login page instead of the page I requested, because when I
    >> do
    >> the WebRequest it gets sent to the forms authentication login page that I
    >> have specified. I need to be able to get my WebRequest to bypass the
    >> forms
    >> authentication for this request, but I do not know how. Any suggestions
    >> would
    >> be appreciated.
    >>
    >> Matthew Judd
     
    Joe Kaplan \(MVP - ADSI\), Oct 21, 2004
    #3
  4. Matthew Judd

    Jorge Matos Guest

    I didn't know about Fiddler - gotta look into that. I disagree about the
    separate request though, if the user is already authenticated then you can
    programmatically access the Forms Auth Cookie that is already present as a
    header in the current request context, and since Matthew is hitting a web
    page that is already in the site this should work. I agree with you only if
    you are hitting an external web site that is using Forms Auth.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Before that, you will probably need to make a separate request to the
    > authentication page and post some credentials so that you can get the cookie
    > value to begin with. It may be possible to hardcode a cookie value that
    > will work, but generally these things expire, so you'd probably need to get
    > one dynamically. Use an HTTP debugger like Fiddler to see the exact format
    > of the post so that you can replicate it in code.
    >
    > In general, forms auth is not well suited for screen scraping or web
    > services-type of authentication. However, you can do it if you really want
    > to.
    >
    > Joe K.
    >
    > "Jorge Matos" <> wrote in message
    > news:...
    > > You probably need to add the Forms Authentication cookie as a http header
    > > in
    > > your request to the other web page. The WebRequest type has a "headers"
    > > property that you can use to add the Forms Authentication cookie to - then
    > > when you make the request with the WebRequest object, your forms auth
    > > cookie
    > > will go along for the ride.
    > >
    > > hth
    > > Jorge
    > >
    > > "Matthew Judd" wrote:
    > >
    > >> I am using Forms Authentication on my site, this process mostly works
    > >> fine.
    > >> The problem I am having is that I have a page that uses an HttpWebRequest
    > >> object to get the html generated from one of the aspx pages within my
    > >> site,
    > >> which it then emails to somebody. The problem I have with this is that
    > >> the
    > >> email gets the login page instead of the page I requested, because when I
    > >> do
    > >> the WebRequest it gets sent to the forms authentication login page that I
    > >> have specified. I need to be able to get my WebRequest to bypass the
    > >> forms
    > >> authentication for this request, but I do not know how. Any suggestions
    > >> would
    > >> be appreciated.
    > >>
    > >> Matthew Judd

    >
    >
    >
     
    Jorge Matos, Oct 21, 2004
    #4
  5. I Agree with you as well. I missed the part about this being on the same
    site and already having the cookie.

    Fiddler is quite cool. I think you will find it quite useful.

    Joe K.

    "Jorge Matos" <> wrote in message
    news:D...
    >I didn't know about Fiddler - gotta look into that. I disagree about the
    > separate request though, if the user is already authenticated then you can
    > programmatically access the Forms Auth Cookie that is already present as a
    > header in the current request context, and since Matthew is hitting a web
    > page that is already in the site this should work. I agree with you only
    > if
    > you are hitting an external web site that is using Forms Auth.
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Before that, you will probably need to make a separate request to the
    >> authentication page and post some credentials so that you can get the
    >> cookie
    >> value to begin with. It may be possible to hardcode a cookie value that
    >> will work, but generally these things expire, so you'd probably need to
    >> get
    >> one dynamically. Use an HTTP debugger like Fiddler to see the exact
    >> format
    >> of the post so that you can replicate it in code.
    >>
    >> In general, forms auth is not well suited for screen scraping or web
    >> services-type of authentication. However, you can do it if you really
    >> want
    >> to.
    >>
    >> Joe K.
    >>
    >> "Jorge Matos" <> wrote in message
    >> news:...
    >> > You probably need to add the Forms Authentication cookie as a http
    >> > header
    >> > in
    >> > your request to the other web page. The WebRequest type has a
    >> > "headers"
    >> > property that you can use to add the Forms Authentication cookie to -
    >> > then
    >> > when you make the request with the WebRequest object, your forms auth
    >> > cookie
    >> > will go along for the ride.
    >> >
    >> > hth
    >> > Jorge
    >> >
    >> > "Matthew Judd" wrote:
    >> >
    >> >> I am using Forms Authentication on my site, this process mostly works
    >> >> fine.
    >> >> The problem I am having is that I have a page that uses an
    >> >> HttpWebRequest
    >> >> object to get the html generated from one of the aspx pages within my
    >> >> site,
    >> >> which it then emails to somebody. The problem I have with this is that
    >> >> the
    >> >> email gets the login page instead of the page I requested, because
    >> >> when I
    >> >> do
    >> >> the WebRequest it gets sent to the forms authentication login page
    >> >> that I
    >> >> have specified. I need to be able to get my WebRequest to bypass the
    >> >> forms
    >> >> authentication for this request, but I do not know how. Any
    >> >> suggestions
    >> >> would
    >> >> be appreciated.
    >> >>
    >> >> Matthew Judd

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Oct 22, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,497
    Tommy
    Feb 13, 2004
  2. TK
    Replies:
    2
    Views:
    11,932
  3. Galore
    Replies:
    1
    Views:
    284
    Saravana
    Nov 3, 2004
  4. JEFF
    Replies:
    1
    Views:
    1,028
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  5. Eric
    Replies:
    2
    Views:
    558
Loading...

Share This Page