EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cookie manager for HTTP/HTTPS

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#24832
Posted: 05/03/2013 09:21:46
by Eugene Mayevski (EldoS Corp.)

Quote
Walter Schrabmair wrote:
Did you see the Protocol Snapshoot? I never get the session cookie from the server, all I see is that the client sent me the session cookie back to the server. I assume that this authentification info is sent over https lines.


The snapshot doesn't show what has been sent by the server. Indeed it's possible that the cookie was set in HTTPS response to previous HTTPS request.

I need to emphasize that cookies obtained via HTTP must NOT be used in plain HTTP sessions. If IE does this, then this is both violation of the standard and a security hole.

If you logged in using Browser and then your code worked, then this happened only because IE and your code share a cookie storage in Windows. If you bring your code to another computer, it will stop working.


Now to receive a cookie using TElHTTPSClient you need to post your login information using TElHTTPSClient - then the server will respond with authentication cookie and you will receive it.


Sincerely yours
Eugene Mayevski
#24833
Posted: 05/03/2013 09:29:08
by Walter Schrabmair (Priority Standard support level)
Joined: 05/03/2013
Posts: 150

Eugene,
I think I have found my missunderstanding. THe cookies from refworks.com are still on my HDD from prev. sessions. So it sends the cookies with the first GET.

I have the same situation with eldos. ON a new PC the first time I did a GET to Eldos I saw no cookies in the GET HEADER . After I got a SET- COOKIES I could see the cookies also in the first GET in the HEADER.

I have to clean the cookies with CCLeaner, before I have a insintric state without old cookies.

Right ?
#24834
Posted: 05/03/2013 09:31:44
by Eugene Mayevski (EldoS Corp.)

Quote
Walter Schrabmair wrote:
THe cookies from refworks.com are still on my HDD from prev. sessions. So it sends the cookies with the first GET.


Yes. And if you clear cookies (even with your old application) you will see that it doesn't work until you somehow authorize on the server (either by posting your login info in code or by going there with IE).


Sincerely yours
Eugene Mayevski
#24835
Posted: 05/03/2013 09:33:36
by Walter Schrabmair (Priority Standard support level)
Joined: 05/03/2013
Posts: 150

Quote
Now to receive a cookie using TElHTTPSClient you need to post your login information using TElHTTPSClient - then the server will respond with authentication cookie and you will receive it.


Yes that was one of my mistakes. I did login with IE in the form browserwindow.
(As I have to study the login page, which fields has a userid and which fields has a password.) Keep learning! Thanks for your help.
Walter
#24836
Posted: 05/03/2013 09:45:47
by Walter Schrabmair (Priority Standard support level)
Joined: 05/03/2013
Posts: 150

Quote
Yes. And if you clear cookies (even with your old application) you will see that it doesn't work until you somehow authorize on the server (either by posting your login info in code or by going there with IE).


I understood it. I have checkted the login page and found that the LoginName and Password are normal fields, but there is no action like it is done in PHP with a POST. Could you tell me which URI is done when I click on ANMELDEN? Its a javascript wrapping and I can`t look through it.
#24837
Posted: 05/03/2013 09:53:49
by Eugene Mayevski (EldoS Corp.)

Unfortunately it's not that trivial. Site owners obviously attempt to counteract to interactive logins. Of course, you can use Fiddler with fake certificate to get the contents of the request sent via HTTPS and find the URL to post the data this way. But if the site owners want to prevent this, they will add some dynamic stuff which you would have to emulate in your code completely in order to pass this "protection".

I can't say for sure why they do this (i.e. is it intentional protection or they have just implemented login this way) so maybe it's better to ask them.


Sincerely yours
Eugene Mayevski
#24838
Posted: 05/03/2013 09:59:56
by Walter Schrabmair (Priority Standard support level)
Joined: 05/03/2013
Posts: 150

ok, I see for understanding the Cookie stuff I have to look for another project.
As I said, it was a past project with works semi-automatic.

But thanks for your help.
BTW Do you know where ELDOS Client demo stores the cookies on a WIN 7 64 bit PC?


HAve a nice day!
Thansk
walter
#24839
Posted: 05/03/2013 10:02:01
by Eugene Mayevski (EldoS Corp.)

Quote
Walter Schrabmair wrote:
BTW Do you know where ELDOS Client demo stores the cookies on a WIN 7 64 bit PC?


Samples don't work with cookies at all (we just didn't add cookie manager there for simplicity).

Now, it's your application's job to load and save cookies using corresponding methods.


Sincerely yours
Eugene Mayevski
#24841
Posted: 05/03/2013 10:18:37
by Walter Schrabmair (Priority Standard support level)
Joined: 05/03/2013
Posts: 150

But anywhere must be the cookies stored on Disk, as I get the Cookies at the First GET procedure too. Even in the demo and the eldos.com page.
#24842
Posted: 05/03/2013 10:22:13
by Eugene Mayevski (EldoS Corp.)

There seems to be some big confusion there.

You get cookies from the server. Is there a cookie sent by the client upon the very first request to eldos.com in the sample? Please post the log of the connection.


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 13419 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!