Is it possible to understand successful login based on received cookie?

Question

Hi all,

I am developing a C# application that does this (by the way, this is also my first C# app.):

• gets login information from the user (id, pass),
• opens a new HttpWebRequest connection to a ASP.NET web page
• tries to login to this page with the obtained [id,pass] tuple. If login is successful, my HttpWebRequest object contains a cookie which will be used to login to another page.

Before requesting the second (protected) page, I want to be sure that first login is successful. First I thought that server sends a cookie if only if the login is successful. But it is not. :) Is it possible to understand from the received cookie object that my login is successful? Or are there any other methods that you can propose for me to solve this issue?

Thanks in advance.

Answer 1

if the user isn't authorized, the web server should return an HTTP error code 401

Answer 2

I would do one of two things.

1. Instead of using an aspx page, I could use a web service. The webservice login method would return an xml response that would tell you whether or not the login was successful, in addition to giving you a cookie. (Some StackOverflowers may disagree on the use of cookies with webservices, but I like them.)

2. Your login page could be more of an API. Let's say you your url looks like this:

   http://mywebsite.com/api.aspx?method=login&userid=sampleuser&password=password

   In the response html you could send back a parsable message, which could be either just text or xml. For example, the result page could just say 'success'. Your c# application could read this and see you are successfully logged in.

   Note: You'd probably want to send the username and password over a POST request, and perhaps hash the password before sending.

Good luck!

Answer 3

Thanks for all replies. Here is my strange solution. :) I am writing this since someone may need it in the future.

The cookie that I receive does not contain a specific [name,value] pair like [logged,true]. The only thing that I receive is something like:

Set-Cookie: ASP.NET_SessionId=ah0b2kj40oi0vuufv0mmot35; path=/; HttpOnly\r\n

So, I thought i am on the wrong direction and tried to find another way to analyze if login is successful or not. My solution is to use the StatusCode of the response. I realised that (thnx to Jason's comment about error code 401) server responds back with a HTTP 302 Found status code if login is successful. But if login is unsuccessful, it responds back with the same login page (i.e. HTTP 200 OK). So depending on the received response's HTTP code, I decide if it is successful or not. Here is the sample code:

//In LoginForm.cs
if (((HttpWebResponse)request.GetResponse()).StatusCode.ToString().Equals("Found"))
            {
                    nextUrl = ((HttpWebResponse)request.GetResponse()).Headers.Get(4);
                    StringBuilder FullUrl = new StringBuilder(this.server_address);
                    FullUrl.Append(nextUrl);
                    this.setSecretURL(FullUrl.ToString());

                    setLoginSuccess(true);
                    // now we can send out cookie along with a request for the protected page
                    request = WebRequest.Create(SECRET_PAGE_URL) as HttpWebRequest;
                    request.CookieContainer = cookies;
                    StreamReader responseReader = new StreamReader(request.GetResponse().GetResponseStream());

                    // and read the response
                    result = responseReader.ReadToEnd();
                    responseReader.Close();

     } else 
     {
          setLoginSuccess(false);                   
     }