locked
HttpOnly Cookies are ignored even with CookieContainer RRS feed

  • Question

  • Hi,
    I am having trouble with passing httponly cookies using webclient.

    I have created custom webclient which sets CookieContainer to request in overriden GetWebRequest method this way:

        public class SmartWebClient : WebClient
        {
            private CookieContainer cc;

            [System.Security.SecuritySafeCritical]
            public SmartWebClient()
                : base()
            {
                cc = new CookieContainer();
            }
            
            protected override WebRequest GetWebRequest(Uri address)
            {
                HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);
                request.CookieContainer = cc;
                return request;
            }
        }
    but vven with this change webclient ignores passing httponly cookies.

    If I make UploadString request to uri https://login.server.tld/login/me it sends back Set-Cookie header with two cookies
    Set-Cookie: prvni=SDFSDGR;Domain=login.server.tld;Path=/;HttpOnly;Version=1
    Set-Cookie: druha=5F5EB93;Domain=login.server.tld;Path=/;Secure;HttpOnly;Version=1
    and Location header to https://login.server.tld/logged/in

    but when I then webclient navigates to https://my.server.tld/logged/in uri, it does not passes cookies so login failes. (I was checking this using Fiddler).

    I also noticed that when server sends back these Set-Cookie:
    Set-Cookie: prvni=SDFSDGR;Domain=.server.tld;Path=/;HttpOnly;Version=1
    Set-Cookie: druha=5F5EB93;Domain=.server.tld;Path=/;Secure;HttpOnly;Version=1
    (Domain with ommited "login" in login.server.tld) webclient passes cookies well and login process is finished with success. But problem is that I can't change remote server behaviour to sends these type of cookies, it sends cookies with FQDN domain names.

    Is this common behavior or I am missing something?

    Thanks for any advice

    Vladimir.
    Tuesday, April 24, 2012 9:29 AM

All replies

  • It works as you can see.
    My workaround in this scenario looks like:

    WebBrowser browser;
    browser.IsScriptEnabled = true;   
    browser.Navigated += new EventHandler<System.Windows.Navigation.NavigationEventArgs>(browser_Navigated);
    browser.Navigate(new Uri(""));

    void browser_Navigated(object sender, System.Windows.Navigation.NavigationEventArgs e)
    {
        string cookie= browser.InvokeScript("eval", new string[] { "document.cookie;" }) as string;
    }
    Tuesday, April 24, 2012 10:23 AM
  • Thanks,
    but using this way I am not able grab any cookie which has set HttpOnly attribute :-( Because HttpOnly flag is mainly to prevent Javascript from seeing content of these cookies.
    Tuesday, April 24, 2012 10:51 AM
  • The cookie container is behaving as it should according to how cookie domain paths are allowed to be interpreted by clients. The server you are using to authenticate is sending you a cookie for a specific subdomain (login), meaning you are only authenticated against that subdomain and those cookie should not be passed through to other subdomains (i.e. my).

    I'd investigate what cookies are sent when you try and do a similar operation in a browser (using Fiddler as above). Your only option may be to ignore the redirect if you actually are trying to access login.server.tld.
    Tuesday, April 24, 2012 6:25 PM
  • I am sorry, I named example hostname at first my.server.tld and then changed it to login.server.tld which I thought is more explaining, and forget it to change in rest of text around code examples.


    To be more specific, I POST to remote site my.server.tld which sets cookies for domain login.server.tld and set Location to my.server.tld which sends second redirect to login.server.tld and cookies are still not passed even if domain name matches.
    Tuesday, April 24, 2012 11:10 PM