Keep track of session cookie in web client

[mirhagk]

Basically I'm trying to get information from a server, but in order to get said information, the user must be logged in. I can POST the login fine, and that allows the user to be logged in, but the server uses a session cookie to know whether to show the information on the next page. This works perfectly when I hardcode a cookie that's specific to a firefox session that's already logged in, but I can't get the session ID from the login page (there's some other info in the cookie that's important too, but I can recreate the rest of that).

Here's my code (currently doesn't work, but if you uncomment the session cookie line, and put in your own session cookie, it will work):

code:

static void GetCourseInfoSession(int subjectID, string courseName, int semester, bool evening, string userName, string password) {     System.Net.WebClient client = new System.Net.WebClient();     //log-in so we can access the course data     string loginData = String.Format("destination=%2Fcis%2Fahtml%2Fmugsi.htm&credential_0={0}&credential_1={1}", PercentEncode(userName), PercentEncode(password));     string loginResult = client.UploadString("https://adweb.cis.mcmaster.ca/submitlogin", loginData);                 //client.Headers.Add("Cookie","Hidden because of confidential info");     string URL = String.Format("https://adweb.cis.mcmaster.ca/mtt/spmastdtl.php?s={0}&c={1}&t={2}&d={3}", subjectID, courseName, semester, evening ? "E" : "D");     string webPage = client.DownloadString(URL);     System.IO.File.WriteAllText("results.html", webPage); }

Is there any way to intercept the information that the server tries to write in a cookie, and then pass that back in the request, like I do with the hard coded cookie?

Thanks.

(and just in case anyone's wondering, the purpose of this program is to have a user enter their macmaster username and password, and provide them with options for their schedule, such as showing them alternate schedules to their current one that they could use if they wanted to, and in the future perhaps showing them available courses they are interested in, or watching the courses to see if they ever come available (technically it could even notify the person, and keep the session open, so as long as the person comes within 45 minutes they will already be logged into the system and can simply change the courses that they want)

[2goto1]

Your server side API should be able to support accessing cookies from your requests. See http://social.msdn.microsoft.com/Forums/en-US/visualjsharpgeneral/thread/66358d71-1690-4464-b2e7-7be026f18f51/. It looks like System.Net.HttpWebRequest may provide you with access to the cookies from your server side request.

You should then be able to pass those cookies back to your client. .NET allows you to write cookies as a part of your HTTP responses.

[mirhagk]

Thanks for the article 2goto1, looks like everything I need. Just a note though, I don't have access to change the server, I can just control the client. The server is also php (but that shouldn't matter).

It looks like this is everything I need, thank you very much. If anyone is going to McMaster, this app should be ready to go soon.

[2goto1]

It looks like it could be a brittle solution, but the PHP API that you're using seems to be a web service based layer offered by the university, so it will hopefully be around for some time, so that your application won't keep breaking and having to be revised.

Are you just saving the password in plain text form into session state when the user attempts login to your site? Or are passwords actually stored in a human readable format? If so, that seems a security issue.

Surprised that they don't have a DMZ where you could just access web services without requiring constant re-authentication. Otherwise as-is with your solution, you may want to test the process of a user logging into your service, and then changing their password on a separate McMaster website, and then attempting to refresh the page on your app with the original authenticated session that they had for your site (you said it remains active for up to 45 mins of inactivity).

[mirhagk]

The 45 minute time is the maximum amount of time a user can be logged into the course changing system, which only allows a few students in at a time (hence it holding onto the session could be quite useful, so that you don't have to keep retrying to get in)

The app is just a command line app to generate potential schedules given a list of courses, so the log in is just used to grab the course times, it isn't used to write any information. The password is simply grabbed from the console, and passed to the server, so it's not stored locally. I just gotta double check that using the HTTPS URL in webclient makes the function use HTTPS, so the password will be encrypted during transmission.

Your right about the potential for this to be broken very easily if and when the school updates their system, however in this scenario it's not as much a risk. McMaster has 2 course selection periods, one where you choose which courses you'd like. Then they generate schedules for everyone, then you get a chance to change courses, and select different classes to get a better timetable (or teachers). This app applies to the 2nd selection period, and the university is unlikely to change the website at any time during the whole process (if they did they risk messing up people selecting courses, or the server overloading etc) so it means I just have to be careful to make sure it's up to date every year.

[2goto1]

I see. I assumed it was a server side process running during a user's web request, versus a command line script.

[mirhagk]

It's simply a command line script right now. Eventually I may make it a web server, so that anyone can use it (not just the technically experienced) but I want to get the basics working so I can use it right now. I also don't want to go through the effort unless I know others will use it (I'm pretty sure others will, but I need to find some place to discuss with McMaster students)