Menu
I have an app that sends a username and password to an API via HTTPS. The API returns HTTPOnly cookies.
This means that the cookies are "invisible" to the code, but still exist and will be sent to the server in subsequent requests.
The Set-Cookie header is stripped from the HttpWebResponse.Headers and the cookie does not appear in the HttpWebResponse.Cookies or the HttpWebRequest.CookieContainer. However, if a subsequent request is made using that same HttpWebRequest.CookieContainer they are sent to the server, but they are inaccessible to the code.
As far as I can tell, this makes them impossible to serialize or preserve in any way. It seems the only way to make this work will be to cache the actual username and password and login again every time.
Is there something I am missing?
850
Yes you are correct having the cookie your browser should send the cookie automatically while it is not expired and the httpOnly flag means it cannot be accessed or manipulated via JavaScript.
Enable HTTPOnly cookie in CORS enabled backend Enabling Cookie in CORS needs the below configuration in the application/server. Set Access-Control-Allow-Credentials header to true. Access-Control-Allow-Origin and Access-Control-Allow-Headers should not be a wildcard(*). Cookie sameSite attribute should be None.
A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document. cookie API; it's only sent to the server. For example, cookies that persist in server-side sessions don't need to be available to JavaScript and should have the HttpOnly attribute.
It provides a gate that prevents the specialized cookie from being accessed by anything other than the server. Using the HttpOnly tag when generating a cookie helps mitigate the risk of client-side scripts accessing the protected cookie, thus making these cookies more secure.
You'll have to use reflection to take a look at the Cookies stored in the cookie container.
Use something like this to have a look at what you have, then you can either try to subclass to gain access to the data you want or go through the process of storing the cookie in memory, deleting it from the container, then adding it as a normal cookie
public List<Cookie> GetAllCookies(CookieContainer cc)
{
List<Cookie> lstCookies = new List<Cookie>();
Hashtable table = (Hashtable)cc.GetType().InvokeMember("m_domainTable", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.GetField | System.Reflection.BindingFlags.Instance, null, cc, new object[] { });
foreach (var pathList in table.Values)
{
SortedList lstCookieCol = (SortedList)pathList.GetType().InvokeMember("m_list", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.GetField | System.Reflection.BindingFlags.Instance, null, pathList, new object[] { });
foreach (CookieCollection colCookies in lstCookieCol.Values)
foreach (Cookie c in colCookies) lstCookies.Add(c);
}
return lstCookies;
}
public string ShowAllCookies(CookieContainer cc)
{
StringBuilder sb = new StringBuilder();
List<Cookie> lstCookies = GetAllCookies(cc);
sb.AppendLine("=========================================================== ");
sb.AppendLine(lstCookies.Count + " cookies found.");
sb.AppendLine("=========================================================== ");
int cpt = 1;
foreach (Cookie c in lstCookies)
sb.AppendLine("#" + cpt++ + "> Name: " + c.Name + "\tValue: " + c.Value + "\tDomain: " + c.Domain + "\tPath: " + c.Path + "\tExp: " + c.Expires.ToString());
return sb.ToString();
}
You can also try using TCP Sockets to get the cookies directly. Here's my answer for a similar question: https://stackoverflow.com/a/21737087/262036
Once you get the response you parse the string in search for the cookie and grab the value. After that you can create a new cookie in the CookieContainer that is not HttpOnly and use it in next requests.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
