0

So I managed to login to my site from C# winforms(with a cookie...), so that forbidden pages are accessible once I get the cookie but the problem arises when I try to post new data once I log in succesfully...then I'm getting "403 forbidden".

In other words:

  1. I send POST from C# using login/password and if succesful I get a cookie and...store it somewhere (I think);
  2. Once the cookie is stored, I can use the usual DownloadString method to visit pages that otherwise require logging in;
  3. However despite saving the cookie I cannot send POST again because the server thinks I am not logged in and I get "403 foribdden"?

Here is the class I am using to help me login, again this works for logging in but not for posting(e.q. editing details...) once I am logged in:

///helper, WebClient derrived class below

    public class CookieAwareWebClient : WebClient
    {
        public CookieContainer cookie = new CookieContainer();

        //Properties to handle a timeout
        private int? _timeout = null;
        public int? Timeout
        {
            get
            {
                return _timeout;
            }
            set
            {
                _timeout = value;
            }
        }

        public void SetTimeout(int timeout)
        {
            _timeout = timeout;
        }


        //Properties to handle SSL
        private bool? _ssl = null;
        public bool? Ssl
        {
            get
            {
                return _ssl;
            }
            set
            {
                _ssl = value;
            }
        }

        public void SetSsl(bool ssl)
        {
            _ssl = ssl;
        }




        protected override WebRequest GetWebRequest(Uri address)
        {
            WebRequest request = base.GetWebRequest(address);


            if (request is HttpWebRequest)
            {
               (request as HttpWebRequest).CookieContainer = cookie;

                if (_timeout.HasValue)
                {
                    request.Timeout = _timeout.Value;
                }

                if (_ssl.Value==true)
                {

                    ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

                }


            }
            return request;
        }


    }

    //main implementation and usage of the above class below: 

    public void something()

    {

            var client = CookieAwareWebClient(); 

            client.Ssl = true; 
            ServicePointManager.ServerCertificateValidationCallback = 
            delegate(object 
            s, X509Certificate certificate, X509Chain chain, SslPolicyErrors 
            sslPolicyErrors) { return true; };
            client.Timeout = 7000;

            client.BaseAddress = "http://localhost:8080/"; 

            var loginData = new NameValueCollection();
            loginData.Add("username", "admin");
            loginData.Add("password", "admin");

            try
            {

         client.UploadValues("login.php", "POST",loginData);

            }
            catch (Exception r)
            {
                    MessageBox.Show(r.ToString());



            }

            try
            {


         string loggedin=client.DownloadString("http://localhost:8080/" + "/admin");




                Match checking_if_weare_loggedin = Regex.Match(loggedin, @"Jake");
                string checking = checking_if_weare_loggedin.ToString();
                if (checking.Length > 3)
                {
                    MessageBox.Show("Good, you're logged in, I can see 'Jake' in the html of the page!");
                }
                else
                {
                   MessageBox.Show("Something is not right...this shouldn't 
                   happen as try-catch cant even catch it!");
                }




                }

The above part works, but this below is NOT working:

                    try
                    {

                        client.UploadValues("edit.php", "POST", loginData2);
                    }
                    catch (Exception r)
                    {
                        MessageBox.Show("lol error" + r.ToString());


                    }

///

To summarize, if I use client.DownloadString, the DownloadString method is obviously keeping track of my cookies since if I use the correct password/username I am able to visit the "admin" page and regular expression can browse it and read the "welcome" message/html source.

However unlke the downloadstring method, the uploadstring starts from scratch?

So, how to override Webclient so that the cookie is stored no matter what method I'm using?

Thanks alot! (I hope the code above is useful at least for people who want to login as it has SSL/Timeout values implemented, it's pretty good for logging in and reading html but again, it's not working if you want to keep posting once you log in successfully).

kpopguy
  • 59
  • 6
  • Before the try part did you check all the requested cookies are passed while making the web req ? – Debashish Saha May 27 '18 at 20:15
  • I'm not sure what cookies to expect from the php but I am using another method which shows some "JSESSIONID...something" when I use the correct password/username combo admin/admin...nothing is shown if I try with wrong combo + I am also getting "403 forbidden" when using wrong username/password. – kpopguy May 27 '18 at 20:18
  • One more thing: I'm also seeing "403 forbidden" if the page doesn't exist. But I am sure the edit.php exists and is accessible, I tried with both relative and absolute paths just in case. Again, the login page works using the same way. – kpopguy May 27 '18 at 20:23
  • If I have understood your problem correctly , you mean to say that the block that you mentioned did not work only for post requests ?? and if you instead use the downloadString method its working .is it ? – Debashish Saha May 27 '18 at 20:30
  • Yes, the idea is to login and browse pages that need login/password. Good...I can do that! But...despite the fact that I am logged in I still can't send new POST requests, for example I cannot edit info, and it seems as if I have only read access but not read + writte...which is dumb since in a browser I can do anything once I log in. – kpopguy May 27 '18 at 20:35
  • In other words: my program should work just like a web browser: I should login once and once logged in I should read and write, the same way as I do via my webbrowser. So far I can only read restricted pages but not POST/write. – kpopguy May 27 '18 at 20:37
  • Can you first clear all of your cookies in the browser and then Pass User agent header in the Web request you are making ? like client.UserAgent="my User agent" – Debashish Saha May 27 '18 at 20:40
  • Someone btw has mentioned that a possible solution is to use cookies in webresponse? I'm however facing an issue to include the cookies received in the webresponse, here is the supposed solution: https://stackoverflow.com/questions/30977809/saving-login-cookie-and-use-it-for-other-request?rq=1 – kpopguy May 27 '18 at 20:45
  • Yes, I think I can do that, will try this one now thanks. But again I'm 90% cetain it's related to cookies dissappearing/not included where they should... – kpopguy May 27 '18 at 20:46
  • OK, I hope and suspect this approach should do the trick: https://stackoverflow.com/questions/11164275/how-to-add-cookies-to-webrequest – kpopguy May 27 '18 at 21:51
  • The idea is that if I can't use/rewrite all the WebClient methods, but I still grab and see the cookie upon succesfufll login, I can simply send a brand new post with my new data + the cookie I already have from the login, correct? – kpopguy May 27 '18 at 21:52
  • Precisely yes .If you pass all the cookies that you received on successful login ,you might be able to send the req. – Debashish Saha May 28 '18 at 16:47

0 Answers0