I try to construct WebRequest to a web page after successful logging in to secured web portal via WPF WebBrowser control, but stuck with the problem of reusing WebBrowser cookies in WebRequest.
Unlike WinForms, in WPF WebBrowser control there is no way to extract CookieCollection via WebBrowser.Document.Cookies because Document object does not have Cookies property. The
only way I found is to use mshtml.HTMLDocument2 which has cookies as string
mshtml.IHTMLDocument2 doc = (mshtml.IHTMLDocument2)webBrowser.Document;
string cookies = doc.cookie;
However it is not good enough as looks like MSHTML.Document2
- does not allow to extract important HttpOnly cookies (like ASP.Net_SessionID)
- and I need manually construct CookiesCollection object from Cookies string.
As a result, WebRequest with cookies constructed from string is failing with Session timeout error as ASP.Net_SessionID is not available.
Is there another way of building proper and completed CookieCollection object from WPF WebBrowser control?
Update: After EricLaw posted his comment, here is a snippet of code you could use to get an HttpOnly cookie:
[DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetGetCookieEx(string pchURL, string pchCookieName,
StringBuilder pchCookieData, ref System.UInt32 pcchCookieData,
int dwFlags, IntPtr lpReserved);
private int INTERNET_COOKIE_HTTPONLY = 0x00002000;
public void GetCookie()
{
string url = "http://www.bing.com";
string cookieName = "ASP.NET_SessionId";
StringBuilder cookie = new StringBuilder();
int size = 256;
InternetGetCookieEx(url, cookieName, cookie, ref size,
INTERNET_COOKIE_HTTPONLY, null)
}
The value would be stored in the StringBuilder "cookie"
A more detailed example can be found in this MSDN blog post.
The only other possible way to get cookies from the WebBrowser that I know of is to use the InternetGetCookie method as mentioned in this StackOverflow answer.
However, it's not possible to get HttpOnly cookies as they are unretrievable as a security feature in browsers. This helps to prevent cross-site scripting. This works the same in WinForms as it does in WPF. More information on HttpOnly cookies can be found in the Wikipedia HTTP Cookie article.
Related
I am using WPF control for CefSharp. I need to know when the request I made receives a response with http status code 404.
I've noticed that CefSharp has LoadError event, but that only fires when the domain cannot be resolved altogether (i.e. if I go to www.sdfhjkhajsdf.com). It doesn't work for when the domain exists, but the page your requesting doesn't.
This is a pretty old question. CefSharp has had lots of great updates, so I hope this helps others searching like me. Don't hate me because my snippets are in VB.NET. ;)
This is what I'm doing to log anything that is not 200 response. For my application, I open a new form of the requested page, so I limit my focus to the initial page request by looking at the ReferrerUrl property. Obviously, you could drop that part to be alerted to all requests.
When you initially implement your ChromiumWebBrowser you need to set a RequestHandler to your implementation.
Me.chromeBrowser = New CefSharp.WinForms.ChromiumWebBrowser(uri)
Me.chromeBrowser.RequestHandler = New CefBasicRequestHandler()
Me.Controls.Add(Me.chromeBrowser)
CefSharp released a default implementation that you can use and just override OnResourceResponse.
Imports System.Security.Cryptography.X509Certificates
Imports CefSharp
Public Class CefBasicRequestHandler
Inherits CefSharp.Handler.DefaultRequestHandler
Private Shared ReadOnly Logger As log4net.ILog = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType)
Public Overrides Function OnResourceResponse(browserControl As IWebBrowser, browser As IBrowser, frame As IFrame, request As IRequest, response As IResponse) As Boolean
If String.IsNullOrWhiteSpace(request.ReferrerUrl) Then ' this is the first request of the page
Dim method As String = "OnResourceResponse()."
Dim requestOverview As String = $"[{response.StatusCode}] [{request.Url}]"
Logger.Info($"{method} {requestOverview}")
If response.StatusCode <> 200 Then
Logger.Warn($"{method} {requestOverview}")
End If
End If
Return MyBase.OnResourceResponse(browserControl, browser, frame, request, response)
End Function
End Class
I am developing a WPF application in which I am working with twitter API. To show twitter authentication page I am using WPF web-browser control. I am able to login and use twitter API successfully. My problem is that I need to clear web browser's cookies to implement logout functionality. Is there any way to clear session cookies in WPF web browser?
I ran into this issue yesterday and finally came up with a full solution today. The answer is mentioned here which is put into more detail here and here.
The primary issue here is that the WebBrowser (in WPF and WinForms) does not permit you to modify (delete) existing session cookies. These session cookies are what prevent a multi-user single device experience from being successful.
The StackOverflow response in the link above omits an important part, it requires the use of an unsafe code block, instead of using the Marshal service. Below is a full solution that can be placed into your project to suppress the session cookie persistence.
public static partial class NativeMethods
{
[DllImport("wininet.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool InternetSetOption(IntPtr hInternet, int dwOption, IntPtr lpBuffer, int dwBufferLength);
private const int INTERNET_OPTION_SUPPRESS_BEHAVIOR = 81;
private const int INTERNET_SUPPRESS_COOKIE_PERSIST = 3;
public static void SuppressCookiePersistence()
{
var lpBuffer = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(int)));
Marshal.StructureToPtr(INTERNET_SUPPRESS_COOKIE_PERSIST, lpBuffer, true);
InternetSetOption(IntPtr.Zero, INTERNET_OPTION_SUPPRESS_BEHAVIOR, lpBuffer, sizeof(int));
Marshal.FreeCoTaskMem(lpBuffer);
}
}
Check the following,
http://social.msdn.microsoft.com/Forums/en/wpf/thread/860d1b66-23c2-4a64-875b-1cac869a5e5d
private static void _DeleteSingleCookie(string name, Uri url)
{
try
{
// Calculate "one day ago"
DateTime expiration = DateTime.UtcNow - TimeSpan.FromDays(1);
// Format the cookie as seen on FB.com. Path and domain name are important factors here.
string cookie = String.Format("{0}=; expires={1}; path=/; domain=.facebook.com", name, expiration.ToString("R"));
// Set a single value from this cookie (doesnt work if you try to do all at once, for some reason)
Application.SetCookie(url, cookie);
}
catch (Exception exc)
{
Assert.Fail(exc + " seen deleting a cookie. If this is reasonable, add it to the list.");
}
}
I have not tested this, but I think the best way would be to define a Javascript method on the page (if you're able to) that clears the cookie.
document.cookie='c_user=;expires=Thu, 01 Jan 1970 00:00:00 GMT;domain=.facebook.com';
(or whatever the cookie name is). Then you can use the InvokeScript method on the WebBrowser control.
I have an Odata Service and a WPF client application.
Some of the Odata Service Entities have images attached to them (ie.Client).
The streaming works as long as I do not apply authentication. I can view and change the images. Once I enforce authentication everything works as expected, given the credentials check out. All but the images that is. Here are the relevant code steps / snipes.
Window Constructor code
bool iv = System.Web.Security.Membership.ValidateUser("userName", "pass");
ManageService = new InventoryContext(new Uri(...));
ManageService.SendingRequest += new EventHandler<SendingRequestEventArgs (ManageService_SendingRequest);
ManageService_SendingRequest code
//attach the authentication cookie to the request header
((HttpWebRequest)e.Request).CookieContainer = ((ClientFormsIdentity)Thread.CurrentPrincipal.Identity).AuthenticationCookies;
The call to fetch the data is async using background worker
Query Methode()
BackgroundWorker worker = new BackgroundWorker();
worker.DoWork += new DoWorkEventHandler(FetchClient);
worker.RunWorkerCompleted += new RunWorkerCompletedEventHandler(FetchClientsCompleted);
worker.RunWorkerAsync(ClientUUID);
FetchClient
var query = from o in ManageService.Clients where o.ClientUUID.Equals((Guid)e.Argument)
...
e.Result = query;
FetchClientsCompleted
var res = e.Result as DataServiceCollection<Client>;
DataContext = res[0]; //this is all working, with and without authentication
//the next line, binding the stream to the image throws 'unauthenticated'
//it works well if authentication is disabled
imgClient.Source = new BitmapImage(ManageService.GetReadStreamUri(DataContext));
if I debug, the SendingRequest methode, usually called with any query request is NOT triggered calling GetReadStreamUri(...).
This is where I am stuck, what to do to authenticate to the service to get the stream?
Also, I took the URI generated by ManageService.GetReadStreamUri(DataContext), past it into the browser and it works, the image is displayed in the browser, if logged in.
Anyone any ideas?
The SendingRequest handler will only fire for request sent by the DataServiceContext class (your ManageService). But in the case of the picture, you only get the URL from the DataServiceContext and then let the BitmapImage actually issue the HTTP request to that URL. So the event won't fire for that request. I don't know if BitmapImage has a way for you to hook into the HTTP request pipeline (I don't think it does).
You could issue that request yourself and then use the response stream as the input for the bitmap image, in which case you get full control over the request and thus can implement authentication as appropriate.
I'm using the WPF WebBrowser to display online help inside an app (just a few small web pages). Some of those pages use cookies to display items only for the first few times the pages are viewed (it's a "Why not try X" type of thing).
However, for some reason the cookies don't seem to be working inside the WebBrowser control. They work fine in full IE as well as Firefox and Chrome (so the items correctly hide), but they never hide when viewed through the WPF WebBrowser control.
Is there something special about using cookies in the WPF WebBrowser control? It seems to be behaving as if all the cookies are only stored in memory, rather than being persisted on disk.
Here's one of those pages inside a browser (where the cookies work):
And here's the exact same page inside the app:
That additional content should only be visible for the first few times of using the software (i.e. it should be hidden after N views of that web page), but because I can't get cookies to work it's always visible.
Cookies handling in Internet Explorer (or hosted versions) is tied to the IE's own notion of "URL Security Zones", doc here: About URL security Zones
So, IE determines an url zone using various alogorithms applied to the url. Depending on the zone, your hosted browser may or may not support session or persistent cookies.
Strangely, when I create a small WPF sample, add the web browser to it and have navigate to this persistent cookie tester utiliy page: http://www.rbaworld.com/Security/Computers/Cookies/givecook.shtml, it works fine. Each time I launch the sample app, the counter is incremented fine, so not everyone can reproduce your problem. Well, that's the whole purpose of URL Security zones: it can vary by machine, by user, by Windows policy, etc...
The next question is: Can I change the zone you're running in? The short and easy answer is ... no because it's heavily tied to the security.
If you were hosting IE yourself, you could implement your own security zone handle as described here: Implementing a Custom Security Manager and a sample here: SAMPLE: Secumgr.exe Overrides Security Manager for WebBrowser Host but you're relying on WPF's webbrowser that does not allow any override... You can get to Reflector and copy all WPF private/internal code but that's a log of risky work!
The last thing you can try is to manipulate the standard Internet Security Manager. Here is some sample code that gives some hints. At least you should be able to determine the zone you're running in (MapUrltoZone) and change the cookie (TryAllowCookie). The problem with the standard manager is most of the times, it pops up dialog to the end-user allowing authorization... (security again!):
[ComImport, Guid("7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4")]
private class InternetSecurityManager
{
}
[ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown), Guid("79eac9ee-baf9-11ce-8c82-00aa004ba90b")]
private interface IInternetSecurityManager
{
void Unused1();
void Unused2();
[PreserveSig]
int MapUrlToZone([In, MarshalAs(UnmanagedType.BStr)] string pwszUrl, out int pdwZone, [In] int dwFlags);
void Unused3();
[PreserveSig]
int ProcessUrlAction(string pwszUrl, int dwAction, ref int pPolicy, int cbPolicy, ref Guid pContext, int cbContext, int dwFlags, int dwReserved);
// left undefined
}
public static SecurityZone MapUrlToZone(Uri uri)
{
IInternetSecurityManager securityManager = (IInternetSecurityManager)new InternetSecurityManager();
int zoneId;
if (securityManager.MapUrlToZone(uri.ToString(), out zoneId, 0) < 0)
return SecurityZone.NoZone;
return (SecurityZone)zoneId;
}
private const int URLACTION_COOKIES = 0x00001A02;
private const int URLACTION_COOKIES_ENABLED = 0x00001A10;
private const int URLPOLICY_ALLOW = 0x00;
private const int URLPOLICY_DISALLOW = 0x03;
private const int PUAF_DEFAULT = 0x00000000;
public static bool TryAllowCookies(Uri uri)
{
IInternetSecurityManager securityManager = (IInternetSecurityManager)new InternetSecurityManager();
int policy = 0;
Guid context = Guid.Empty;
int hr = securityManager.ProcessUrlAction(uri.ToString(), URLACTION_COOKIES_ENABLED, ref policy, Marshal.SizeOf(policy), ref context, Marshal.SizeOf(context), PUAF_DEFAULT, 0);
return (hr == 0) && policy == URLPOLICY_ALLOW;
}
Good luck :)
The WebBrowser control won't allow this by default. For security reasons, you probably wouldn't want different applications from different developers/companies being able to access cookie info that another app created.
However, check out this answer How to delete Cookies from windows.form?
That pertains to deleting cookies through javascript, but you may be able to use a similar method in order to persist and create the site cookie each time the application is loaded.
Is there a way to read/write the cookies that a WebBrowser control uses?
I am doing something like this...
string resultHtml;
HttpWebRequest request = CreateMyHttpWebRequest(); // fills http headers and stuff
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
using (StreamReader sr = new StreamReader(response.GetResponseStream()))
{
resultHtml = sr.ReadToEnd();
}
WebBrowser browser = new WebBrowser();
browser.CookieContainer = request.CookieContainer; // i wish i could do this :(
browser.NavigateToString(resultHtml);
One of the potentially confusing things about the WebBrowser control and cookies is that at a first glance, it often looks like your app gets a separate cookie store. For example, if you log into a site that stores a persistent cookie to identify you, then whether you appear to be logged in for that site from inside an app hosting the control will be independent of whether you seem to be logged in via Internet Explorer.
In fact, you can even be logged in with different identities.
However, although it might be natural to draw the conclusion that each app hosting the WebBrowser therefore gets its own cookies, in fact that's not true. There are merely two sets of cookies: the ones used in 'low integrity' mode (which is what IE runs in by default), and the other set, which is what you'll get in a normal app that hosts the WebBrowser and also what you'll get if you run IE elevated.
the webbrowser control uses WinInet for networking, specifically use the InternetSetCookie(Ex) and InternetGetCookie(Ex) functions for Cookie management. There isn't a WinInet wrapper in .Net, but you can p-invoke.
Yes you are right, InternetGetCookieEx is the only way to retrieve HttpOnly cookies and it is the preferred way to grab cookie from WebBrowser control.
I posted a complete example here
You can use Application.GetCookie and Application.SetCookie methods.
Although Application is more or less related to WPF, you can use these methods in any desktop .NET code. In fact, they are wrappers on InternetGetCookieEx and InternetSetCookieEx Windows APIs.
I faced the same issue few days ago.
Besides the examples of the previous answers, here is a Win32 wrapper for the WebBrowser control. The advantage of this implementation is that it exposes more options that the default WebBrowser control.
Unfortunately if It's not WPF native, so you will have to create a wrapper if you're planning to use it in WPF.
http://code.google.com/p/csexwb2/
Here is sample from [link][1]
> public static class WinInetHelper
{
public static bool SupressCookiePersist()
{
// 3 = INTERNET_SUPPRESS_COOKIE_PERSIST
// 81 = INTERNET_OPTION_SUPPRESS_BEHAVIOR
return SetOption(81, 3);
}
public static bool EndBrowserSession()
{
// 42 = INTERNET_OPTION_END_BROWSER_SESSION
return SetOption(42, null);
}
static bool SetOption(int settingCode, int? option)
{
IntPtr optionPtr = IntPtr.Zero;
int size = 0;
if (option.HasValue)
{
size = sizeof(int);
optionPtr = Marshal.AllocCoTaskMem(size);
Marshal.WriteInt32(optionPtr, option.Value);
}
bool success = InternetSetOption(0, settingCode, optionPtr, size);
if (optionPtr != IntPtr.Zero) Marshal.Release(optionPtr);
return success;
}
[System.Runtime.InteropServices.DllImport("wininet.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool InternetSetOption(
int hInternet,
int dwOption,
IntPtr lpBuffer,
int dwBufferLength
);
}