• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2337
  • Last Modified:

Java applet + authentication failure in ASP.NET

My problem is that I have a .NET application with a Java applet embedded in it. The Java applet sends an HTTP request to the server for a file like downloadfile.aspx. I believe, but cannot confirm, that the applet is including (at least) two cookies in the HTTP request: the ASPNET_SessionID and a "Login" cookie that matches the application's forms authentication.

in web.config:
<authentication mode="Forms">
      <forms name="Login" loginUrl="Interactive/bounceToLogin.html" timeout="30"/>

The problem is that some -- a small percentage of my users -- are using this applet to get a .NET web form like downloadfile.aspx, but the server response is the bounceToLogin.html page defined in the <forms> tag instead. Does anybody have some ideas how to ensure that the connection is authenticated?

P.S. I thought I had solved over here: http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_22822036.html but it's popped up again.
// in the Java applet
Url u = new URL(myurl);
HttpURLConnection conn = (HttpURLConnection)u.openConnection();
conn.setRequestProperty("Cookie", "ASP.NET_SessionId=" + sessionID);
conn.setRequestProperty("Cookie", "Login=" + loginID);
// sessionID and loginID are defined in download.aspx, the page that
// contains the applet.
// in download.aspx:
sessionString = HttpContext.Current.Session.SessionID
// and then
<applet ...><PARAM NAME="sessionID" VALUE="<%# sessionString %>"></applet>
// also in download.aspx:
<param name="loginID" value="<%# Request.Cookies["Login"].Value %>">
sessionID =  and passed as to the applet as a parameter

Open in new window

  • 3
1 Solution
We've had similar issues where some users use www. and some leave that bit out however if you have the link to your applet (form in our case) hard coded to either www. of not you can make the cookie invalid (i.e. it's effectively crossing domains) - this was an issue around IE 5.5 time (couple of years ago).
tjgquickenAuthor Commented:
I tried our applet with both the www. and without, and that didn't make a difference.

However, we have our applet running on two different domains, and it works on one domain but not on the other one. Looking at the Java console from both domains and comparing them, I noticed these two different lines.

On the working domain:
network: Connecting https://www.mydomain.com/downloadfile.aspx?id=1000 with cookie "ASP.NET_SessionId=[sessionId]; Login=[long hex string]; roles=[long hex string]

On the non-working domain, the "Login" part of that cookie is missing:
network: Connecting https://www.mydomain2.com/downloadfile.aspx?id=1000 with cookie "ASP.NET_SessionId=[sessionId]; roles=[long hex string]

The Java code is the same on both domains, so I'm not sure why the applet on one domain is sending the Login cookie and the applet on the other domain isn't.
tjgquickenAuthor Commented:
I also noticed that if I add an extra cookie in the Java code:

conn.setRequestProperty("Cookie", "test=1")

there's no change in the output, i.e. it's still

network: Connecting https://www.mydomain2.com/downloadfile.aspx?id=1000 with cookie "ASP.NET_SessionId=[sessionId]; roles=[long hex string]

with no Login cookie or test cookie.
tjgquickenAuthor Commented:
Stupid, inefficient solution: essentially re-create the cookie on the page with the applet.
i.e. Response.Cookies.Add(new HttpCookie("Login", Cookies["Login"]))

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now