1

Is it possible to pass Sitecore Credentials via an HttpWebRequest? The code below works great, except for the fact that the asmx being called executes as the anonymous user. I'd like to be able to pass the sitecore current user credentials to the page I'm calling.

CookieContainer cookieJar = new CookieContainer();
HttpWebRequest req = (HttpWebRequest)WebRequest.Create("ttp://localhost/file.asmx");
req.Headers.Add("SOAPAction", "\"h_ttp://tempuri.org/Register\"");
req.ContentType = "text/xml;charset=\"utf-8\"";
req.Accept = "text/xml";
req.Method = "POST";
req.ContentLength = 0;
req.CookieContainer = cookieJar;
WebResponse response = req.GetResponse();
Stream responseStream = response.GetResponseStream();
StreamReader respStrm = new StreamReader(response.GetResponseStream(), System.Text.Encoding.ASCII);
string responseITem = respStrm.ReadToEnd();
HttpContext.Current.Response.Write(responseITem);
HttpContext.Current.Response.End();
Josh C
  • 341
  • 1
  • 6
  • 23

2 Answers2

3

The Sitecore user credential informations are stored in a cookie. So you could add client cookies to your http request:

HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
request.CookieContainer = new CookieContainer();
HttpCookieCollection userCookies = Request.Cookies;
for (int userCookieCount = 0; userCookieCount < userCookies.Count; userCookieCount++)
{
    HttpCookie httpCookie = userCookies.Get(userCookieCount);
    Cookie cookie = new Cookie();
    /*  We have to add the target host because the cookie does not contain the domain information.
        In this case, this behaviour is not a security issue, because the target is our own platform.
        Further informations: http://stackoverflow.com/a/460990 
    */
    cookie.Domain = request.RequestUri.Host;
    cookie.Expires = httpCookie.Expires;
    cookie.Name = httpCookie.Name;
    cookie.Path = httpCookie.Path;
    cookie.Secure = httpCookie.Secure;
    cookie.Value = httpCookie.Value;

    request.CookieContainer.Add(cookie);
}

You could also check our Sitecore Error Manager module. There we also create http requests with sending the client cookies (see lines 149-170):

https://github.com/unic/SitecoreErrorManager/blob/master/Modules.ErrorManager/Controls/BaseError.cs

Kevin Brechbühl
  • 4,717
  • 3
  • 24
  • 47
  • Adding the domain - as you mentioned - was the trick. I had been trying to push the cookie info, but it didn't seem to be working, so I figured it just wasn't going to happen that way. Thanks! – Josh C Mar 13 '13 at 17:27
2

You need to add the current user credentials to the request so you can retrieve them in your asmx webservice and use the credentials to log the user so the context is set.

// add the credentials to the Post method
var credentials = "yourCredentials";
req.ContentLength = credentials.Length;
using (var dataStream = req.GetRequestStream())
{
  dataStream.Write(credentials, 0, credentials.Length);
}

In your asmx webservice you can login with the userName only or the combination of the userName and Password which are retrieved from the request.

Sitecore.Security.Authentication.AuthenticationManager.Login(userName);

EDIT: there is a security risk here when sending credentials as plain text, use at least HTTPS to make it more secure.

Martijn van der Put
  • 4,062
  • 1
  • 18
  • 26
  • Does that mean I'd need to have access to their passowrd? In the sample you provided, is "yourCredentials" the user name and password combo? Thanks much for your help. – Josh C Mar 05 '13 at 23:13
  • No, you can login a user by using only the username, no password needed. – Martijn van der Put Mar 06 '13 at 11:30
  • This solution is not very clever because you have to send credentials trought the net (if you do not use HTTPS) which can be modified through a man-in-the-middle attack. The solution of Kevin is much cleaner because the .ASPXAUTH cookie identifies an user and cannot be modified easily. – Pascal Mathys Mar 06 '13 at 11:32
  • @Pascal, that is correct, but you only need the username, no password. I assume that Josh knows what he is doing and that he is aware that there is a security risk in this. – Martijn van der Put Mar 06 '13 at 11:34
  • @Martijn But you can modify the username. That alone is insecure. Even if the call is network internal – Pascal Mathys Mar 06 '13 at 11:35
  • @PascalMathys correct. I've added an edit to the answer to point out the security risk in case someone doesn't know it. – Martijn van der Put Mar 06 '13 at 11:43
  • This would work, too, with the security stuff taken into account, but pushing the cookie was the best thing for me right now. – Josh C Mar 13 '13 at 17:30