I'd like to make a webrequest to facebook or authenticated site using the cookies already contained in cefsharp after the user has logged on.
How can I do that? I'm currently using HttpWebRequest. Can I somehow retrieve cookies from CEF and pass it to HttpWebRequest? Tried looking at CEFRequest but it's not accessible nor do I know how to use it
I need all this in order to prefetch resources needed by 2000 sites that I need precached. If you can suggest another way to do that please recommend that as well
The method Cef.VisitAllCookies() will issue a callback for each cookie. You can then selectively include some or all of these cookies in web requests that you make using HttpWebRequest.
https://github.com/ataranto/CefSharp/blob/master/CefSharp/CefSharp.h#L122
Related
I have two domains
Example :
a.com and b.com
I try to implement SSO Cross-domain authentication for these two websites
I refer to this link reference How youtube gets logged in to gmail account without getting redirected? to implement like Gmail and YouTube
I have doubt about that
How to send tokens from one domain to another domain using iframe
How to pass tokens in a secure way
If I use an intermediate domain how to prevent that domain call for accessing cookies value I want to set the cookies in the second domain
Please help me to implement I searched but the sample code is not available in asp.net
have you tried this method?
Using Reverse Proxy
As #David suggested, use a reverse proxy like Nginx or HAPorxy to serve both the applications from the same domain - protocol://host:port. All three things should be equal.
Using cookies instead of LocalStorage
If you use cookies instead of LocalStorage, then host ports do not participate in determining site policy. So two application running on the same host but the different port will share cookie without any extra work. To protect the cookie, use an HTTP-only cookie, same-site cookie.
Using URL to share - IFrame only
If you are using iFrame, then you can use URL to share the token. When the outer window is loading the iFrame, send this information via hash like http://localhost:8081/somepage#token=1234
Using hash will allow the page to send data to an inner page without being sent over the wire.
Using window.postMessage - IFrame only
Using window.postMessage, you can simply pass the required data to the inner window/iFrame. As long as you control both the endpoints, you can easily do cross-domain message sending.
In the end, it really depends on your security requirements, ease-of-maintenance, etc.
The best of this is using oAuth https://oauth.net/ provides a comprehensive definition of this.
There are many open-source implementations of oAuth consumer and server available.
The concept is that a third URL will authenticate and maintain the primary session and pass tokens via URL on redirect. The consumers can utilize tokens to request the server for details directly.
Overall benifit is that you will get implementations via open-source communities in a language of your choice, and you will be able to utilise third-party logins. There are other standards you can look into as well are SAML , OpenID and LDAP and products like shibbobleth,CAS and Azure AD.
Is it possible and how to use cookieless ASP.NET session with session id not in URL but in HTTP Header? Using some custom developed HttpHandler or HttpModule
Resons why it is needed to make migation for existing product easier. Most correct solution will be to switch from cookieless=true to false. But it is already existing and working product, and migration could be not so easy. At least effort to change code on multiple places in this case needed. Idea was e.g. use custom HTTP module to rewrite URL and insert session instead of URL into custom HTTP Header, and otherwise when returning response to client.
Actually, using a cookie is equivalent with using a header to transfer the session ID. If you use a cookie, you will see that the values saved in the cookie will be transferred using the http headers. Perhaps, if you explained your scenario and goals in more detail, we could give you some more guidance.
I do not understand what you could gain by implementing your own session identification mechanism. If you are afraid that user A could steal user B's session token and impersonate him, there are standard ways to protect your application. Perhaps this post regarding session security could give you some more details. If you insist on going with a custom solution, I would suggest implementing a custom session stored provider which would integrate with the overall asp.net workflow.
Hope I helped!
Just had a quick question: right now when you are doing cross domain tracking with Analytics, the URL has parameters added to them to track it. I was just wondering, is there a way to use something like POST or any other method to pass the cookie info from one domain to the next so the URL does not seem so messy with all the URL parameters being added.
E.g. going from google.com to yahoo.com/lots_of_paramters, could we go to just yahoo.com/gclid=123
Cheers,
Yuri
The parameters are read on the other domain to recreate the same Google Analytics cookies.
Data sent on POST is not available on the posted page through Javascript only on the back end. So you would need the backend to actually store this data and send back to the interface, maybe through AJAX to recreate the cookies there.
Another idea is probably to try to parse the cookies server side and send them as new cookies, so the Javascript code on the destination domain wouldn't need to recreate the cookies, they would be normal HTTP Header set cookies.
Still it's a lot of work and fuzz just to pass the cookies on. Urls are ugly but are still the easiest and portable way to handle the problem.
Ignore for the moment that not all browsers support LocalStorage.
Would it be possible to roll your own authentication "handler" (for want of a better word) that makes use of LocalStorage rather than a Cookie for FormsAuthentication within an ASP.NET web app?
If it is possible where would I find the best information to start learning how to do it?
Generally, your authentication happens at the server end and cookie contents are passed along with every request. So, by using the information available in request before accessing the resource, server can see if the user is logged in.
But, in case of localStorage the contents are not passed to the server with every request and is accessible only to Javascript. Hence it is not possible to use localStorage for authentication instead of cookie.
We are implementing a single sign on mechanism in an enterprise environment, where the token is shared between applications using HTTP header. Now, in order to do the integration test, I need to write an application to simulate this.
Is there any way in ASP.NET where I can redirect to another web-page and pass a custom HTTP header in the process?
Thanks
You need to create a page on Site B that Site A redirects the user too that sets a cookie with the desired value.
for instance.
http://siteb.com/authenticate.aspx?authtoken=15128901428901428904jasklads&returnUrl=http://siteb.com/index.aspx
authenticate.aspx would set a cookie and then every request would receive authtoken.
The server could send the HTTP header to the client on a redirect, but the client would not send it back to the other remote server.
The ideal solution in this case would be to use a Cookie, or a QueryString variable. Cookies may suffer from cross-domain issues and become complicated if host names are different enough.
In any of these approaches, one must be careful not to create a security hole by trusting this information as it is user input coming back from the client (or some black hat).