use existing IE cookie for website credentials with HTTPWebRequest/Response

Hi, first let me start by saying a am a dotnet developer, but not with anything web, so i dont have alot of expertise in this area.

I am trying to write a program that gets the source of an external  web page. however i need to login credentials or else i dont see the page i want. Right now, even though IE has a cookie and my info is saved on the site, looking at the src from the web request i can see i am not getting the logged in data.

From this site and the web i found some code but it isnt working for me. Im not sure i did the post piece correctly. I used Fiddler to try and match the post data, but i am not seeing what i expect.

It seems easier to just use the existing cookie, since i can identify it on my system, but i havent figured out how to do that either.  Any help would be appreciated.

and here is the src from the page, where the login section is:
<div id="shell">
      <form id="login" class="hideLogin" method="post" action="/login.aspx">
                      <div class="input_left"></div><input type="text" id="username" name="username" class="cover" value="Username" /><div class="input_right"></div>                        
                        <div id="password1" class="password_container"><div class="input_left"></div><input type="text" id="pwdText" name="pwdText" value="Password" class="password" /><div class="input_right"></div></div>

                        <div id="password2" class="password_container"><div class="input_left"></div><input type="password" id="password" name="password" value="" class="password" /><div class="input_right"></div></div>
                        <!--<input type="password" id="password" name="password" value="Password" class="password"/>-->
                        <input type="image" src="/images/shell/login/signin.gif" alt="Signin" id="user_pass_btn" />        
                        <input type="checkbox" name="remenber" id="remenber" value="Remenber" />
                        <label for="remenber">Remember Me</label>
                        <a href="/forgotpassword.aspx" title="Forgot your Password?" id="forget">Forgot your Password?</a>
                        <a href="/registrationoptions.aspx" title="Register?" id="register">Register</a>
                        <input type="hidden" id="referer" name="referer" value="/refererpage">
// Code copied
                string UserName = "";
                string Password = "upassword";
                string LoginUrl = "";
                ASCIIEncoding encoding = new ASCIIEncoding();
                string postData = "username=" + UserName;
                postData += ("&pwdText=Password");
                postData += ("&password=" + Password);
                postData += ("&referer=/Default.aspx");
                //postData += ("&__VIEWSTATE=" + "dDwxNDk4NTExNDg3OztsPFBlcnNpc3Q7Pj6Eyncow4uVa/NxzavPfMvSqZKDFg==");
                //postData += ("&Submit1=Log On");
                byte[] data = encoding.GetBytes(postData);

                System.Net.Cookie c = new Cookie("DUMMY", "");

                Uri u = new Uri(LoginUrl);

                System.Net.HttpWebRequest w = (HttpWebRequest)System.Net.WebRequest.Create(u);

                w.CookieContainer = new CookieContainer();
                w.CookieContainer.Add(u, c);
                w.Referer = "";

                w.Method = "POST";
                w.ContentType = "application/x-www-form-urlencoded";
                w.ContentLength = data.Length;
                Stream newStream = w.GetRequestStream();
                // Send the data.
                newStream.Write(data, 0, data.Length);
                w.Credentials = System.Net.CredentialCache.DefaultCredentials;
                string str = "";

//end copied code
                HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create("");
                webRequest.Timeout = 60000;

                HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse();

                Stream responseStream = webResponse.GetResponseStream();

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There are many obstacles to cross-domain access both in web browsers and in the design of certain web sites.

>I am trying to write a program that gets the source of an external  web page.

Logging in remotely may not be possible if the remote site has implemented CSRF protection on the login form.  If you visit that page and do a view source you may see a one time use token (this could be hidden in viewstate on a .NET site) or otherwise obscured.  That prevents logging in from a web page hosted on another domain.  Also, failing to authenticate via the other site's login page will result in your browser not getting a valid session cookie which points back to that domains session handler and contains the authentication/authorization information you'll need to access internally protected pages.

Of course, the web developer of the other domain may not have used any safeguards and it may be possible.

>just use the existing cookie

That needs to be read by the domain which created it. e.g. You would need to be on that domain's (presumably login page) where it would then be read to authenticate you.  You can not normally read the cookie contents and "send" it to the other domain.


The developer of the pages on the other domain can easily prevent the type of remote authentication which you are attempting. I of course have no way of knowing what if any obstacles have been put in place by the other domain, but can speak from personal experience that you could not authenticate remotely to a domain I have developed as those safeguards would have been used.

Some domains allow this type of access, but to do so securely would require the passing of cryptographic tokens.

So...the question is: "Do you have permission from the other domain to remotely authenticate?"

If so, then the people supporting that domain should be able to give you the necessary information for doing so.

If you provided the domain's URL, we could make an educated guess if this is possible and what you would need to accomplish it.


mikegrad7Author Commented:
hi, i was away for the weekend and am just getting back to this:

Thanks for the info Rod - I do not have permission from the site - i am just trying to write some code that recognizes automatically when changes are made to the site and have a program alert me. the web site is You must be logged in to see the detail i want to see. Login is on top of the page under "sign-in / register".

Like i said, i am not a web developer, but if you can enter a username and pwd on the page, then why couldnt you do it programatically? And since it allows you to "remember me" then what i thought would be easiest would to just use the current IE cookie so it just automatically sends you to the right page. Anyway, any help you can provide would be appreciated.

>If you can enter a user name and pwd on the page, then why couldn't you do it programatically?

Because the developer can place a one time use cryptographic token on the page (in the form) to prevent that from occurring.  Why?  Because if you do not do so, a malicious person could create a carefully crafted hyperlink which if clicked by a user of could perform actions on that user's behalf.

Imagine Amazon's one click shopping.  I could click a malicious link in an e-mail and buy a book.  Obviously Amazon is smarter than that and has protections in place but that sums up CSRF.

That web site is using a weaker variant with a hidden form field which holds the referer...<input type="hidden" id="referer" name="referer" value="/Default.aspx">.  I don't know what they are doing on the server side, so you may not be able to spoof that field.  But you can be sure login.aspx is expecting the field and is checking it's value.

As far as the cookie goes, (in theory - not discussing hacks) only the domain which set the cookie can read it.  While it exists on your computer and you can see its contents, that does not give you the ability to make that other domain read it when you choose.  You will actually have to browse to one of the pages that reads the cookie.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If the site puts protections in place to prevent remote login, discussing how to get past their protections is not permitted by the MA even if your intentions are pure.
mikegrad7Author Commented:
Ok, thanks for the info. This was just something for me, nothing malicious. But either way it seems like I can't implement this as I wished.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.