C# 在客户端上通过 HTTPS 维护会话

发布于 2024-08-11 06:44:15 字数 1435 浏览 8 评论 0原文

我需要登录网站并执行操作。该网站是基于 REST 的,因此我可以通过这样做轻松登录(登录信息作为 URL 中的查询字符串包含在内,因此我不需要设置凭据):

CookieContainer cookieJar = new CookieContainer();

HttpWebRequest firstRequest = (HttpWebRequest) WebRequest.Create(loginUrl);
firstRequest.CookieContainer = cookieJar;
firstRequest.KeepAlive = true;
firstRequest.Method = "POST";
HttpWebResponse firstResponse = (HttpWebResponse)firstRequest.GetResponse();

这可以正常工作并让我登录。我得到了一个 cookie维护会话并将其存储在上面所示的 cookieJar 中。然后我执行第二个请求,如下所示:

HttpWebRequest secondRequest = (HttpWebRequest) WebRequest.Create(actionUrl);
secondRequest.Method = "POST";
secondRequest.KeepAlive = true;
secondRequest.CookieContainer = cookieJar;
WebResponse secondResponse = secondRequest.GetResponse();

我确保将 cookie 分配给新请求。但由于某种原因,这似乎不起作用。我收到一条错误消息,告诉我“我的会话已超时或过期”,并且这是一个接一个地完成的,所以这不是时间问题。

我使用 Fiddler 来检查 HTTP 标头,但我发现这很困难,因为这是 HTTPS。 (我知道我可以解密它,但似乎效果不佳。)

我可以获取此休息服务的 URL 并将它们粘贴到 Firefox 中,一切正常,所以这一定是我做错了,而不是连接的另一端。

我对 HTTPS 不太熟悉。我需要做其他事情来维持会话吗?我以为 cookie 就是这样,但也许我还需要在两个请求之间维护其他东西?

以下是我发送第一个请求时返回的标头(除了我更改了 cookie 以保护无辜者!):

X-DB-Content-length=19
Keep-Alive=timeout=15, max=50
Connection=Keep-Alive
Transfer-Encoding=chunked
Content-Type=text/html; charset=WINDOWS-1252
Date=Mon, 16 Nov 2009 15:26:34 GMT
Set-Cookie:MyCookie stuff goes here
Server=Oracle-Application-Server-10g

任何帮助将不胜感激,我已经没有想法了。

I need to login to a website and perform an action. The website is REST based so I can easily login by doing this (the login info is included as a querystring on the URL, so I dont't need to set the credentials):

CookieContainer cookieJar = new CookieContainer();

HttpWebRequest firstRequest = (HttpWebRequest) WebRequest.Create(loginUrl);
firstRequest.CookieContainer = cookieJar;
firstRequest.KeepAlive = true;
firstRequest.Method = "POST";
HttpWebResponse firstResponse = (HttpWebResponse)firstRequest.GetResponse();

That works and logs me in. I get a cookie back to maintain the session and it's stored in the cookieJar shown above. Then I do a second request such as this:

HttpWebRequest secondRequest = (HttpWebRequest) WebRequest.Create(actionUrl);
secondRequest.Method = "POST";
secondRequest.KeepAlive = true;
secondRequest.CookieContainer = cookieJar;
WebResponse secondResponse = secondRequest.GetResponse();

And I ensure I assign the cookies to the new request. But for some reason this doesn't appear to work. I get back an error telling me "my session has timed out or expired", and this is done one right after the other so its not a timing issue.

I've used Fiddler to examine the HTTP headers but I'm finding that difficult since this is HTTPS. (I know i can decrypt it but doesn't seem to work well.)

I can take my URL's for this rest service and paste them into firefox and it all works fine, so it must be something I'm doing wrong and not the other end of the connection.

I'm not very familiar with HTTPS. Do I need to do something else to maintain my session? I thought the cookie would be it, but perhaps there is something else I need to maintain across the two requests?

Here are the headers returned when I send in the first request (except I changed the cookie to protect the innocent!):

X-DB-Content-length=19
Keep-Alive=timeout=15, max=50
Connection=Keep-Alive
Transfer-Encoding=chunked
Content-Type=text/html; charset=WINDOWS-1252
Date=Mon, 16 Nov 2009 15:26:34 GMT
Set-Cookie:MyCookie stuff goes here
Server=Oracle-Application-Server-10g

Any help would be appreciated, I'm running out of ideas.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

故事灯 2024-08-18 06:44:15

在解密我的程序中的 HTTP 流量后,我终于让它工作了。

我返回的 cookie 没有列出 Path 变量。因此 .NET 获取当前路径并将其指定为 cookie 上的路径(包括当前页面)。即:如果位于 http://mysite/somepath/somepage.htm ,则会设置 cookie路径=/somepath/somepage.htm。这是一个错误,因为它应该分配给“/”,这是所有网络浏览器所做的。 (希望他们能解决这个问题。)

注意到这一点后,我抓住了 cookie 并修改了路径属性,现在一切正常。

有类似问题的其他人请查看 Fiddler。 .NET 使用 Windows 证书存储,因此要解密来自程序的 http 流量,您需要按照此处的说明进行操作: http://www.fiddler2.com/Fiddler/help/httpsdecryption.asp 。您还需要在 Fiddler 的 Options\HTTPS 选项卡下打开解密。

I finally got it working after decrypting the HTTP traffic from my program.

The cookie I'm getting back doesn't list the Path variable. So .NET takes the current path and assigns that as the path on the cookie including the current page. ie: If it was at http://mysite/somepath/somepage.htm it would set the cookie path=/somepath/somepage.htm. This is a bug as it should be assigned to "/" which is what all web browsers do. (hope they fix this.)

After noticing this I grabbed the cookie and modified the path property and everything works fine now.

Anyone else with a problem like this check out Fiddler. .NET uses the windows certificate store so to decrypt http traffic from your program you will need to follow the instructions here: http://www.fiddler2.com/Fiddler/help/httpsdecryption.asp . You will also need to turn on decryption under the Options\HTTPS tab of Fiddler.

紫竹語嫣☆ 2024-08-18 06:44:15

来自 MSDN

当用户在安全区域和公共区域之间来回移动时,ASP.NET 生成的会话 cookie(如果启用了无 cookie 会话状态,则为 URL)会以明文形式随之移动,但身份验证 cookie 永远不会通过通过未加密的 HTTP 连接只要设置了安全 cookie 属性

因此基本上,如果“Secure”属性设置为“false”,则 cookie 可以通过 HTTP 和 HTTPS 传递。

另请参阅 如何共享 asp http 和 https 之间的 .net 会话

From MSDN:

When a user moves back and forth between secure and public areas, the ASP.NET-generated session cookie (or URL if you have enabled cookie-less session state) moves with them in plaintext, but the authentication cookie is never passed over unencrypted HTTP connections as long as the Secure cookie property is set.

So basically, the cookie can be passed over both HTTP and HTTPS if the 'Secure' property is set to 'false'.

see also how can I share an asp.net session between http and https

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文