I am currently working on a .Net application which makes HTTP requests to some web applications hosted on a IIS server. The application is deployed through ClickOnce and is working fine on simple networks architectures.
One of our customers has a very complex network involving a custom authentication server on which the user has first to log himself in order to be authenticated and get access to other applications on this network. Once authenticated on this server, a session cookie is created and sent to the user. Every time the user then makes a request on a secured server of the network, this cookie is checked to grant access to the user. If this cookie is not sent with the request, the user is redirected to the login page. The only browser used is Internet Explorer.
This cookie cannot be accessed from our .net application since it is executed in another process than the Internet Explorer process which was used to log the user in, and thus is not sent with our requests, which cannot be completed since the server redirects every of our requests to the login page.
I had a look at embedding my application into Internet Explorer by making the main control COM visible and creating it on an HTML page with an tag. It is working properly, however the sessions cookies set earlier in the browser are not sent when the ActiveX control makes web requests.
I was hoping this sharing of the session information would be automatic (although I didn't really believe it). So my questions are : Is it possible to have access to this cookie in the embedded ActiveX? How? Does it make a difference to use a .Net COM-interop component instead of a "true" ActiveX control? Also, are there specific security words to describe this kind of behaviors (given that I am not an expert at all on security topics, this lack of proper terminology makes it a lot harder to find the needed resources)?
我目前正在开发一个. net应用程序,该应用程序将HTTP请求发送到托管在IIS服务器上的一些web应用程序。该应用程序通过ClickOnce部署,在简单的网络架构上运行良好。我们的一个客户有一个非常复杂的网络,其中涉及一个自定义身份验证服务器,用户必须首先登录该服务器,以便进行身份验证并访问该网络上的其他应用程序。在此服务器上进行身份验证后,将创建会话cookie并将其发送给用户。每次用户在网络的安全服务器上发出请求时,都会检查此cookie以授予对用户的访问权。如果此cookie未与请求一起发送,则将用户重定向到登录页面。唯一使用的浏览器是Internet Explorer。这个饼干不能从我们的. net应用程序访问,因为它比ie在另一个进程执行过程用于用户登录,因此不是发送请求,无法完成以来,服务器将把每一个我们的请求重定向到登录页面。我尝试将我的应用程序嵌入到Internet Explorer中,方法是让主控件COM可见,并在一个带有标记的HTML页面上创建它。它工作正常,但是当ActiveX控件发出web请求时,浏览器中先前设置的会话cookie不会被发送。我希望这种会话信息的共享是自动的(尽管我并不真的相信)。我的问题是:是否有可能在嵌入的ActiveX中访问这个cookie ?如何?使用。net COM-interop组件而不是“真正的”ActiveX控件有什么不同吗?此外,是否有特定的安全词汇来描述这种行为(考虑到我根本不是安全主题方面的专家,缺乏适当的术语使得查找所需的资源变得更加困难)?
My goal is to have my application's requests look the same from the requests made by the host browser's requests, and I thought that embedding the application as an ActiveX control into the browser was the only way to achieve this, however any suggestion on another to do this is welcome.
我的目标是把应用程序的请求从请求由主机看起来一样浏览器的请求,我认为将应用程序作为一个ActiveX控件嵌入到浏览器是唯一的方法来实现这一目标,然而在另一个就是欢迎任何建议。
2 个解决方案
#1
2
A way I found to achieve this is to have the ActiveX component embedding the Internet Explorer component (WebBrowser object), and to use it to do my http requests instead of standard class objects. By doing this, session cookies (even http-only ones) set in Internet Explorer become available to the embedded Internet Explorer and are automatically sent with each requests.
我发现实现这一点的一种方法是让ActiveX组件嵌入Internet Explorer组件(WebBrowser对象),并使用它来执行http请求,而不是标准类对象。通过这样做,在Internet Explorer中设置的会话cookie(甚至是仅支持http的cookie)将对嵌入式Internet Explorer可用,并将随每个请求自动发送。
#2
0
I don't really know much about .NET, IIS or ActiveX, but would it be possible to pass the cookies to the embedded application? Javascript has document.cookie which should contain all of the cookies for the current domain (the ones sent for the current page request). It's probably possible to have this value passed to your embedded application somehow.
我不太了解。net、IIS或ActiveX,但是是否可以将cookie传递给嵌入式应用程序?Javascript文件。cookie,它应该包含当前域的所有cookie(发送给当前页请求的cookie)。可能会以某种方式将这个值传递给嵌入式应用程序。
Sorry for the vague answer. I hope it can at least point you in a new direction.
对不起,我的回答不明确。我希望它至少能给你指明一个新的方向。
#1
2
A way I found to achieve this is to have the ActiveX component embedding the Internet Explorer component (WebBrowser object), and to use it to do my http requests instead of standard class objects. By doing this, session cookies (even http-only ones) set in Internet Explorer become available to the embedded Internet Explorer and are automatically sent with each requests.
我发现实现这一点的一种方法是让ActiveX组件嵌入Internet Explorer组件(WebBrowser对象),并使用它来执行http请求,而不是标准类对象。通过这样做,在Internet Explorer中设置的会话cookie(甚至是仅支持http的cookie)将对嵌入式Internet Explorer可用,并将随每个请求自动发送。
#2
0
I don't really know much about .NET, IIS or ActiveX, but would it be possible to pass the cookies to the embedded application? Javascript has document.cookie which should contain all of the cookies for the current domain (the ones sent for the current page request). It's probably possible to have this value passed to your embedded application somehow.
我不太了解。net、IIS或ActiveX,但是是否可以将cookie传递给嵌入式应用程序?Javascript文件。cookie,它应该包含当前域的所有cookie(发送给当前页请求的cookie)。可能会以某种方式将这个值传递给嵌入式应用程序。
Sorry for the vague answer. I hope it can at least point you in a new direction.
对不起,我的回答不明确。我希望它至少能给你指明一个新的方向。