First I created the HttpClientHandler with cookie container
CookieContainer cookies = new CookieContainer();
HttpClientHandler handler = new HttpClientHandler();
handler.CookieContainer = cookies;
handler.UseCookies = true;
var hc = new HttpClient(handler);
Then I hit the Base Url just to get the cookie with "__RequestVerificationToken"
string r = await hc.GetStringAsync(BaseUrl);
Then I post the username/password to the login Url
HttpContent content = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("UserName", "admin"),
new KeyValuePair<string, string>("Password", password),
});
HttpResponseMessage response = await hc.PostAsync(LoginUrl, content);
Then I get the server error "The required anti-forgery form field "__RequestVerificationToken" is not present".
But when I check the request in fiddler, I can see that "__RequestVerificationToken" is already added in the cookies of the request.
Then I tried to login manually in IE, and check what kind of the request IE sent.
Then I discovered IE also put "__RequestVerificationToken" in the form, so I added the cookie in the form
new KeyValuePair<string, string>("__RequestVerificationToken", cookies.GetCookies(new Uri(BaseUrl)).Cast<Cookie>().FirstOrDefault(x => x.Name == "__RequestVerificationToken").Value)
Then I got this error
"Validation of the provided anti-forgery token failed. The cookie "_RequestVerificationToken" and the form field "_RequestVerificationToken" were swapped."
Then I couldn't get any search result on google for this error.
Any idea?
Thanks
Found the issue.
The "__RequestVerificationToken" added to the cookie is different from the one added to the form.
So I took the value of "__RequestVerificationToken" in the form from the returned Html string, then it worked!
Related
I am building a web application and when a user signs in, his credentials are first validated against the database. If the credentials are correct, a FormsAuthenticationTicket is created. Then a cookie is created from that ticket. The Expires and Path properties are set. See below.
FormsAuthenticationTicket ticket=new FormsAuthenticationTicket(1, model.User.UserName,
DateTime.Now, DateTime.Now.AddHours(2), RememberMeCheckBox.Checked,
model.User.Id.ToString()+" "+model.User.UserType.ToString());
string cookieStr = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, cookieStr);
cookie.Expires=ticket.Expiration;
cookie.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(cookie);
Response.Redirect("DummyForm.aspx");
And when I redirect the response to a new page, in the Page_Load event the presence of a cookie is checked.
HttpCookie cookie=HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookiePath];
if(cookie!=null)
{
//Do stuff
}
else
{
//Do other stuff
}
When I run the application, it behaves like the cookie variable is null.
Is there something that I have omitted?
Thanks in advance for your help.
cookie.Domain="localhost";
cookie.Name="My auth cookie";
I also set the domain property to localhost in web.config. However, it still doesn't work. I used the developer tools of Google to check the cookie and I can't see it there.
In my mvc3 application i save data of each user to session.
HttpContext.Current.Session["UserName"] = "Jon";
The problem is in Safari browser.
The default settings is : "block cookies from third parties and advertisers". So session is not saved. I found solution :
var ticket = new FormsAuthenticationTicket(
1,
"currentUser",
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
null);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
this.Response.Cookies.Add(cookie);
But this solution work only on localhost, is not work on server...
Is anybody have alternative solution for this problem? Or can explain why is my solution not working on server?
Try to set the Domain property of your cookie to exactly match the name of the domain your work server is in, like this:
var cookie = new HttpCookie(...
cookie.Domain = "Microsoft.com";
Once you do it, your cookie is a first-party cookie (as opposed to being a third-party one).
I am trying to setup a basic Form Authentication using ASP.NET 4.
I know my validation code (code that checks if the username and password is correct) is working because after if the user enters invalid information the ReturnLable tells them so. However if they enter the correct information, they are redirected to the restricted page with a 403 – Forbidden error. When I check the shell:cookie path no cookie has been written even though I added it to the collection “Response.Cookies.Add(cookie);”
protected void Submit_Click(object sender, EventArgs e)
{
Email.Text = Email.Text.Trim();
Password.Text = Password.Text.Trim();
if (IsValid(Email.Text, Password.Text)) //user exists
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
Email.Text,
DateTime.Now,
DateTime.Now.AddMinutes(50),
RememberMe.Checked,
"user",
FormsAuthentication.FormsCookiePath);
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);
Response.Cookies.Add(cookie);
}
else
{
ReturnLable.Text = "<font color=red> Username/Password Incorrect Please Try Again </font>";
ReturnLable.Visible = true;
}
From this MSDN article:
If you do not set the cookie's expiration, the cookie is created but
it is not stored on the user's hard disk. Instead, the cookie is
maintained as part of the user's session information. When the user
closes the browser or if the session times out, the cookie is
discarded.
Thus, a cookie could be successfully set, alive and well in the browser, but have no corresponding file in the "cookies" folder on the hard drive.
make sure that Enable anonymous access is disabled on IIS and Integrated Windows security is enabled
I have a ASP page where there is a link which is passed to another domain written in JSP.
I need to pass a parameter from ASP page to JSP page but it should be hidden from being caught by user.
On other side in JSP page I will retrieve the parameter and use it accordingly. How can I achieve this?
You could do a WebRequest in the .NET page to the JSP page, set whatever you need on the server side JSP, then redirect to a JSP URL with the server side state already in place.
// Create a request for the URL.
WebRequest request = WebRequest.Create ("http://www.contoso.com/default.html");
// If required by the server, set the credentials.
request.Credentials = CredentialCache.DefaultCredentials;
// Get the response.
HttpWebResponse response = (HttpWebResponse)request.GetResponse ();
// Display the status.
Console.WriteLine (response.StatusDescription);
// Get the stream containing content returned by the server.
Stream dataStream = response.GetResponseStream ();
// Open the stream using a StreamReader for easy access.
StreamReader reader = new StreamReader (dataStream);
// Read the content.
string responseFromServer = reader.ReadToEnd ();
// Display the content.
Console.WriteLine (responseFromServer);
// Cleanup the streams and the response.
reader.Close ();
dataStream.Close ();
response.Close ();
//redirect after
I've created a FormsAuthenticationTicket from scratch, but found that when retrieving it at a later time, the UserData isn't coming back. Here is the code used:
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1,
user.UserId,
DateTime.Now,
DateTime.MaxValue,
false,
user.UserType);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(ticket));
Response.Cookies.Add(cookie);
However, when reading this back on the next Request, I found that the UserData field is now empty:
string encryptedCookie = Request.Cookies[ FormsAuthentication.FormsCookieName ].Value;
FormsAuthenticationticket ticket = FormsAuthentication.Decrypt(encryptedCookie);
Assert.IsTrue( ticket.UserData.Length == 0 ); //TRUE!
Any ideas?
I think I found the problem. If you make up your own cookie name it seems to be fine! So change from:
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName,
FormsAuthentication.Encrypt(ticket));
to
HttpCookie cookie = new HttpCookie(
"SiteCookie",
FormsAuthentication.Encrypt(ticket));
And then retrieve it as per the question:
string encryptedCookie = Request.Cookies[ "SiteCookie" ].Value;
FormsAuthenticationticket ticket = FormsAuthentication.Decrypt(encryptedCookie);
Assert.IsFalse( ticket.UserData.Length == 0 ); //Hooray! It works
Its possible .NET does some tricky stuff with it, so by putting it in a new one works fine.
UPDATE:
Also, the ticket needs to be refreshed, as otherwise the ticket will expire while the user is using the website:
FormsAuthentication.RenewTicketIfOld(ticket); // Do before saving cookie
I have also encountered this problem.
But I think the real reason is that the server set the same cookie twice and the second override the first which contains your UserData field.
You can capture the cookie writing process by Fiddler, and here is a screenshot that show this problem:
So, how this happened? In my situation, I use the Login control to authenticate. In the Login control's Authenticate event, I set the cookie with my UserData after check the username and password manaully. Then, I set the AuthenticateEventArgs.Authenticated=true, at this time, in the debug window, I see a new cookie is queued to the response which name is also equal to FormsAuthentication.FormsCookieName ! My solution is redirect to the Default page instead of setting the AuthenticateEventArgs.Authenticated=true.
So, you may debug your code to see if the authentication cookie is queued to the response twice.
This works for me:
//Create Form Authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, currentUser.userid.ToString(), DateTime.Now, DateTime.Now.AddMinutes(60), false, currentUser.ToString(), FormsAuthentication.FormsCookiePath);
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies);
cookie.HttpOnly = true;
HttpContext.Current.Response.Cookies.Add(cookie);