MuellerDesigns.net
Alex Mueller on Software and Technology 
Thursday, February 03, 2005
Authentication in ASP.NET
Recently I was looking for a way to test a web application when I stumbled upon a roadblock. Sometimes I have a specific train of thought that becomes interrupted with an impediment such as the one I found. After pursuing the solution to the roadblock, I forgot what I was initially trying to solve, then it hit me later.

The problem was I needed to be able to programmatically authenticate with an ASP.NET web application. Having dealt with this situation before, I decided to display my solution for two reasons. The first is so I may resort to this code when I need it again, and the second so anyone in search of something similar will have it as well.

One tool I do use for the tracking of my HTTP requests and responses is Fiddler. Fiddler allows for the inspection off all HTTP traffic, which provides a good understanding of what constitutes our headers and messages. In my solution, I use this to understand the requirements of my authentication request.

My approach to the solution is something like the following. We have two URL’s, the first is the authentication URL of our target, and the second is the protected content of our application. In my case, the first URL is something like /Login.aspx, and the second is /Default.aspx. In order to get access to the protected content, we must authenticate with the server, which requires we post our request containing our username, password, and whatever else our application requires. After looking at the request for authentication in Fiddler as my model, I determine what the server requires, which is the ViewState of our application, as well as my username, password, et cetera.

I have dissected this solution into four phases. The first is the initial get of the /Login.aspx URL. After this, I manipulate the response stream to obtain the ViewState content in order to authenticate. The third piece is the authentication against the server, and the fourth is the request of the protected content. My end result is a string representing the protected page.

Microsoft provides a nice sample application which demonstrates the usage of the HttpWebRequest and HttpWebResponse classes if one needs a working model.

// Create our variables
string signinUrl = "http://yourUrl.net/Login.aspx";
string contentUrl = "http://yourUrl.net/Default.aspx";
string responseHtml = null;
CookieContainer cookies = new CookieContainer();

// 1. Initialize our connection and retrieve the Viewstate.
HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(signinUrl);
httpWebRequest.Method = "GET";
httpWebRequest.ContentType = "text/html; charset=utf-8";

StreamReader responseReader = new StreamReader( httpWebRequest.GetResponse().GetResponseStream() );
responseHtml = responseReader.ReadToEnd();
responseReader.Close();
    
// 2. Append to our Viewstate our authenitication requirements.
// Determine where in responseHtml VIEWSTATE is get just the value of it.
// 7 is the length of the string value="
int beginPosition = responseHtml.IndexOf( "value=\"", responseHtml.IndexOf("__VIEWSTATE") ) + 7;
int endPosition = responseHtml.IndexOf( "\"", beginPosition );

// Convert into a Unicode string for the HTTP stream.
string viewState = HttpUtility.UrlEncodeUnicode( responseHtml.Substring( beginPosition, endPosition - beginPosition ) );

// Create our new ViewState with our POST data
string post = String.Format("__VIEWSTATE={0}" +
    "&tbxUserName={1}&tbxPassword={2}&tbxCompany={3}&btnLogin=Login",
    viewState, "myUserName", "myPa$$word", "MyCompany");

// 3. Post our new request to the authentication page.
httpWebRequest = (HttpWebRequest)WebRequest.Create(signinUrl);
httpWebRequest.Method = "POST";            
httpWebRequest.ContentType = "application/x-www-form-urlencoded";
// Set any headers you may desire
httpWebRequest.Headers.Set("Pragma","no-cache");
httpWebRequest.CookieContainer = cookies;

// Add our modifications to our request stream
StreamWriter requestWriter = new StreamWriter(httpWebRequest.GetRequestStream());
requestWriter.Write(post);
requestWriter.Close();
// Close the RequestStream before the next
httpWebRequest.GetResponse().Close();

// 4. Send our final request for the protected page.
httpWebRequest = (HttpWebRequest)WebRequest.Create(contentUrl);
httpWebRequest.CookieContainer = cookies;
responseReader = new StreamReader(httpWebRequest.GetResponse().GetResponseStream());
responseHtml = responseReader.ReadToEnd();
responseReader.Close();            

// At this point, we have a string representation of our protected HTML page.
// do something with responseHtml;

Thursday, February 03, 2005 10:24:44 AM (Mountain Standard Time, UTC-07:00) | Comments [6] | #
Subscribe: Feed your aggregator (RSS 2.0)
Copyright 2010 MuellerDesigns.net
newtelligence dasBlog 2.0.7226.0
MuellerDesigns.net
Search
On This Page
The Split Personality of the Tester/Developer
Cross Site Scripting (XSS)
Creating files with FSUTIL
PowerShell Management Library for Hyper-V
Installing Windows 7
Installing Linux in Hyper-V
Internet Explorer 8 Release Candidate 1
PowerShell Documentation
Automate Daily Tasks with PowerShell
SketchPath XPath Editor
Software Testing - Revisited
Architecting Buildings and Software
NBCOlympics.com with Silverlight
Marker Interfaces and C# Attributes
Most Popular
JavaScript ReplaceAll Functionality
What is polymorphism?
What is composition?
Sorting with IComparable and IComparer
Applying the Observer Pattern in ASP.NET
MVP in ASP.NET
What is abstraction?
What is encapsulation?
What is a class?
What is inheritance?
Authentication in ASP.NET
Calendar Controls
XPathNavigator.CheckValidity new for 2.0
SQL Server 2005 Connection Issues
Auto-attach to process '[####] aspnet_wp.exe' on m...
What is an object?
FreeTextBox
VMWare and VPC
An Example of Reflection using C#
Changing File Ownership In Vista and Longhorn
Archive
June, 2009 (1)
May, 2009 (1)
April, 2009 (1)
March, 2009 (1)
February, 2009 (2)
January, 2009 (1)
December, 2008 (2)
November, 2008 (1)
October, 2008 (1)
September, 2008 (1)
August, 2008 (1)
July, 2008 (2)
June, 2008 (1)
May, 2008 (1)
April, 2008 (8)
March, 2008 (8)
February, 2008 (2)
January, 2008 (1)
December, 2007 (2)
November, 2007 (2)
October, 2007 (4)
September, 2007 (3)
August, 2007 (1)
July, 2007 (2)
June, 2007 (1)
May, 2007 (2)
April, 2007 (2)
March, 2007 (1)
February, 2007 (1)
January, 2007 (3)
December, 2006 (1)
November, 2006 (1)
October, 2006 (2)
September, 2006 (1)
August, 2006 (1)
July, 2006 (2)
June, 2006 (3)
May, 2006 (9)
April, 2006 (1)
March, 2006 (4)
February, 2006 (2)
January, 2006 (3)
December, 2005 (4)
November, 2005 (4)
October, 2005 (3)
September, 2005 (5)
August, 2005 (7)
July, 2005 (5)
June, 2005 (5)
May, 2005 (7)
April, 2005 (3)
March, 2005 (6)
February, 2005 (7)
January, 2005 (9)
December, 2004 (4)
Links
About Me
ElegantCode
dasBlog
Categories
 All Categories
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
My Local Blog Map
Blogroll
 Achim Oellers
 Bart DePetrillo
 Clemens Vasters
 Harry Pierson
 Jörg Freiberger
 Joshua Flanagan
 Omar Shahine
 Scott Hanselman
 Stephen Forte
 Tom Mertens
About
Powered by:

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2010
MuellerDesigns.net

Sign In
Help Those In Need
The Hunger Site
Ronald McDonald House Charities (RMHC) of Western Washington & Alaska