views:

305

answers:

1

I am currently working on a .Net application which makes HTTP requests to some web applications hosted on a IIS server. The application is deployed through ClickOnce and is working fine on simple networks architectures.
One of our customers has a very complex network involving a custom authentication server on which the user has first to log himself in order to be authenticated and get access to other applications on this network. Once authenticated on this server, a session cookie is created and sent to the user. Every time the user then makes a request on a secured server of the network, this cookie is checked to grant access to the user. If this cookie is not sent with the request, the user is redirected to the login page. The only browser used is Internet Explorer.
This cookie cannot be accessed from our .net application since it is executed in another process than the Internet Explorer process which was used to log the user in, and thus is not sent with our requests, which cannot be completed since the server redirects every of our requests to the login page.
I had a look at embedding my application into Internet Explorer by making the main control COM visible and creating it on an HTML page with an tag. It is working properly, however the sessions cookies set earlier in the browser are not sent when the ActiveX control makes web requests.
I was hoping this sharing of the session information would be automatic (although I didn't really believe it). So my questions are : Is it possible to have access to this cookie in the embedded ActiveX? How? Does it make a difference to use a .Net COM-interop component instead of a "true" ActiveX control? Also, are there specific security words to describe this kind of behaviors (given that I am not an expert at all on security topics, this lack of proper terminology makes it a lot harder to find the needed resources)?

My goal is to have my application's requests look the same from the requests made by the host browser's requests, and I thought that embedding the application as an ActiveX control into the browser was the only way to achieve this, however any suggestion on another to do this is welcome.

A: 

I don't really know much about .NET, IIS or ActiveX, but would it be possible to pass the cookies to the embedded application? Javascript has document.cookie which should contain all of the cookies for the current domain (the ones sent for the current page request). It's probably possible to have this value passed to your embedded application somehow.

Sorry for the vague answer. I hope it can at least point you in a new direction.

Chibu
Unfortunately this is not possible: the cookie is an http-only cookie and thus cannot be accessed by client code.
jerem
Well, sorry for not being help at all then =D
Chibu