4

I'm using the WPF WebBrowser to display online help inside an app (just a few small web pages). Some of those pages use cookies to display items only for the first few times the pages are viewed (it's a "Why not try X" type of thing).

However, for some reason the cookies don't seem to be working inside the WebBrowser control. They work fine in full IE as well as Firefox and Chrome (so the items correctly hide), but they never hide when viewed through the WPF WebBrowser control.

Is there something special about using cookies in the WPF WebBrowser control? It seems to be behaving as if all the cookies are only stored in memory, rather than being persisted on disk.

Here's one of those pages inside a browser (where the cookies work):

Help pane inside a browser

And here's the exact same page inside the app:

Help pane inside the application

That additional content should only be visible for the first few times of using the software (i.e. it should be hidden after N views of that web page), but because I can't get cookies to work it's always visible.

Wilka
  • 28,701
  • 14
  • 75
  • 97

2 Answers2

7

Cookies handling in Internet Explorer (or hosted versions) is tied to the IE's own notion of "URL Security Zones", doc here: About URL security Zones

So, IE determines an url zone using various alogorithms applied to the url. Depending on the zone, your hosted browser may or may not support session or persistent cookies.

Strangely, when I create a small WPF sample, add the web browser to it and have navigate to this persistent cookie tester utiliy page: http://www.rbaworld.com/Security/Computers/Cookies/givecook.shtml, it works fine. Each time I launch the sample app, the counter is incremented fine, so not everyone can reproduce your problem. Well, that's the whole purpose of URL Security zones: it can vary by machine, by user, by Windows policy, etc...

The next question is: Can I change the zone you're running in? The short and easy answer is ... no because it's heavily tied to the security.

If you were hosting IE yourself, you could implement your own security zone handle as described here: Implementing a Custom Security Manager and a sample here: SAMPLE: Secumgr.exe Overrides Security Manager for WebBrowser Host but you're relying on WPF's webbrowser that does not allow any override... You can get to Reflector and copy all WPF private/internal code but that's a log of risky work!

The last thing you can try is to manipulate the standard Internet Security Manager. Here is some sample code that gives some hints. At least you should be able to determine the zone you're running in (MapUrltoZone) and change the cookie (TryAllowCookie). The problem with the standard manager is most of the times, it pops up dialog to the end-user allowing authorization... (security again!):

[ComImport, Guid("7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4")]
private class InternetSecurityManager
{
}

[ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown), Guid("79eac9ee-baf9-11ce-8c82-00aa004ba90b")]
private interface IInternetSecurityManager
{
    void Unused1();
    void Unused2();
    [PreserveSig]
    int MapUrlToZone([In, MarshalAs(UnmanagedType.BStr)] string pwszUrl, out int pdwZone, [In] int dwFlags);
    void Unused3();
    [PreserveSig]
    int ProcessUrlAction(string pwszUrl, int dwAction, ref int pPolicy, int cbPolicy, ref Guid pContext, int cbContext, int dwFlags, int dwReserved);
    // left undefined
}

public static SecurityZone MapUrlToZone(Uri uri)
{
    IInternetSecurityManager securityManager = (IInternetSecurityManager)new InternetSecurityManager();
    int zoneId;
    if (securityManager.MapUrlToZone(uri.ToString(), out zoneId, 0) < 0)
        return SecurityZone.NoZone;

    return (SecurityZone)zoneId;
}

private const int URLACTION_COOKIES = 0x00001A02;
private const int URLACTION_COOKIES_ENABLED = 0x00001A10;
private const int URLPOLICY_ALLOW = 0x00;
private const int URLPOLICY_DISALLOW = 0x03;
private const int PUAF_DEFAULT = 0x00000000;

public static bool TryAllowCookies(Uri uri)
{
    IInternetSecurityManager securityManager = (IInternetSecurityManager)new InternetSecurityManager();
    int policy = 0;
    Guid context = Guid.Empty;
    int hr = securityManager.ProcessUrlAction(uri.ToString(), URLACTION_COOKIES_ENABLED, ref policy, Marshal.SizeOf(policy), ref context, Marshal.SizeOf(context), PUAF_DEFAULT, 0);
    return (hr == 0) && policy == URLPOLICY_ALLOW;
}

Good luck :)

Simon Mourier
  • 132,049
  • 21
  • 248
  • 298
0

The WebBrowser control won't allow this by default. For security reasons, you probably wouldn't want different applications from different developers/companies being able to access cookie info that another app created.

However, check out this answer How to delete Cookies from windows.form?

That pertains to deleting cookies through javascript, but you may be able to use a similar method in order to persist and create the site cookie each time the application is loaded.

Community
  • 1
  • 1
rossisdead
  • 2,102
  • 1
  • 19
  • 30
  • I don't understand this answer. Isn't the cookie bound to the page, rather than to the app? It's the page that's setting the cookie. The app is completely passive. – Mal Ross Dec 16 '10 at 11:15
  • I've updated the question to hopefully better illustration what I'm trying to achieve here. The cookies aren't crated by the app, they're all created on the sever-side. The app is just displaying the web pages. – Wilka Dec 16 '10 at 12:42
  • Correct, the server creates the cookies, but then they get stored by the browser client-side after each request. The WebBrowser control doesn't allow for the sharing/storing of these cookies afterwards. – rossisdead Dec 16 '10 at 16:23
  • Though if you're referring to httpOnly cookies, I'm not sure there'd be a way to persist those without really hacking up the WebBrowser control by using the AxWebBrowser interface stuff. – rossisdead Dec 16 '10 at 17:25