1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Accessing HTTP only cookies via .NET cookiecontainer

Discussion in 'Visual Basic .NET' started by programmingboss, May 21, 2013.

  1. programmingboss

    programmingboss Newbie

    Joined:
    Feb 17, 2013
    Messages:
    7
    Likes Received:
    0
    I am making a web request and monitoring it in Charles' Proxy. I can see HTTP only cookies coming back in the response but I cannot access them via the cookiecontainer object. I can see other cookies in the container but not the HTTP only one I am after.

    Does anyone know how to do this? I know the information is available because Charles' Proxy can show my the value of the HTTP only cookie. However, I need access to it in .NET. I suspect this may need reflection but I am not sure how.

    Can anyone help? Thanks.
     
  2. theMagicNumber

    theMagicNumber Regular Member

    Joined:
    May 13, 2010
    Messages:
    345
    Likes Received:
    195
    Code:
     public void GetCookies(CookieContainer cookieContainer)
            {
                System.Type _ContainerType = typeof(CookieContainer);
                Hashtable table = (Hashtable)_ContainerType.InvokeMember("m_domainTable",
                                           System.Reflection.BindingFlags.NonPublic |
                                           System.Reflection.BindingFlags.GetField |
                                           System.Reflection.BindingFlags.Instance,
                                           null,
                                           cookieContainer,
                                           new object[] { });
                foreach (var pathList in table.Values)
                {
                    SortedList lstCookieCol = (SortedList)pathList.GetType().InvokeMember("m_list", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.GetField | System.Reflection.BindingFlags.Instance, null, pathList, new object[] { });
                    foreach (CookieCollection colCookies in lstCookieCol.Values)
                    {
                        foreach (Cookie c in colCookies)
                        {
                            if (c.HttpOnly)
                            {
                                //do the work here
                            }
                        }
                    }
                }
            }
    
    The code is not mine, just copied from here and there.
    If you know the domain you can use GetCookies(Uri uri) from CookieContainer.

    EDIT:
    I apologize, but i missed that it is VB.NET forum.
     
    • Thanks Thanks x 1
    Last edited: May 21, 2013
  3. roach

    roach BANNED BANNED

    Joined:
    Sep 8, 2009
    Messages:
    740
    Likes Received:
    395
    Hey brother here is the code you asked for in vb net.

    That is pretty much what I use. I just copied and pasted that out of one of my tools i made. Good luck! Also dont forget to close what you open... :)
     
    • Thanks Thanks x 1
  4. programmingboss

    programmingboss Newbie

    Joined:
    Feb 17, 2013
    Messages:
    7
    Likes Received:
    0
    Thank you both.

    Roach I haven't run that code but I believe that is good for getting normal cookies but I don't think HTTP Only cookies can be accessed in that way. Please correct me if I am wrong.

    I am going to test out theMagicNumber's code as it looks good, if you don't hear from me then it worked.
     
  5. programmingboss

    programmingboss Newbie

    Joined:
    Feb 17, 2013
    Messages:
    7
    Likes Received:
    0
    Unfortunately, it didn't work. The code is good, the problem is that the cookie doesn't show in the response.cookies cookiecontainer or in a cookiecollection object i attach to the request. Driving me crazy.

    I see the cookie in Charles Proxy, so I know it's part of the response. It doesn't have a Domain assigned to the cookie, could that be the problem?

    Here is what the raw response in Charles shows me;
    Set-Cookie: [COOKIE NAME HERE]=BAh7CDoQb2xkX2dldF91cmwiBi86D3Nlc3Npb25faWQiJTUwZmVmNTAzZWVmM2U2Mzk0MDQ5ZjdiMzI4ODViMjFlOhBfY3NyZl90b2tlbiIxOEtFejBBcWZ3TDB4SUYyTVA1WVBnc3poWnIzZTdiRHJxelpKdmtES1ZTTT0%3D--5118f929221234fdf175ba825a2d1a96b346b9bb; path=/; HttpOnly
     
  6. innozemec

    innozemec Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 19, 2011
    Messages:
    5,250
    Likes Received:
    1,794
    Location:
    www.Indexification.com
    Home Page:
    You sure the cookie isn't been set by Charles or set only if using a proxy? I remember once i had a system returning special response only when using a Proxy as when using Charles the connection gets proxied..i have gone crazy till i figured that out..
     
    • Thanks Thanks x 1
  7. programmingboss

    programmingboss Newbie

    Joined:
    Feb 17, 2013
    Messages:
    7
    Likes Received:
    0
    Well, the request response i am checking with Charles (the one that shows the cookie) is the one being executed in my app. I have the app using the 127.0.0.1:8888 proxy so I can see it in Charles' Proxy.

    I realise HTTP only cookies are not meant to be accessed by the client, which is why .NET is not letting me get at it. But the cookie is in the response, I just need some kind of reflection code to access what .NET is hiding from me.
     
  8. programmingboss

    programmingboss Newbie

    Joined:
    Feb 17, 2013
    Messages:
    7
    Likes Received:
    0
    Here's the raw response from Charles. I've replaced the domain name with XXXXX and trimmed the content, nothing else.

    Code:
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Status: 200
    X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.12
    X-Runtime: 42
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: mobile_view=false; domain=XXXXXXX; path=/
    Set-Cookie: 
    Set-Cookie: country_id=30; domain=XXXXXXX; path=/; expires=Wed, 21-May-2014 21:26:12 GMT
    Set-Cookie: 
    Set-Cookie: country_code=JP; domain=XXXXXXX; path=/; expires=Wed, 21-May-2014 21:26:12 GMT
    Set-Cookie: 
    Set-Cookie: language_id=1; domain=XXXXXXX; path=/; expires=Wed, 21-May-2014 21:26:12 GMT
    Set-Cookie: 
    Set-Cookie: l=; domain=XXXXXXX; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
    Set-Cookie: _XXXXXXX_session=BAh7CDoQb2xkX2dldF91cmwiBi86D3Nlc3Npb25faWQiJTc5NWNmYTM4YTk0MGNkYjEyZGMwNDViYzVkNjcyOTY3OhBfY3NyZl90b2tlbiIxRUhtcW5MdkQ0RS9LaTAvSjFBMGNjakZja0NxdDUwQklveS8xQ1Myck4zND0%3D--ef35cdf5911aaaee48c7c9f7d09fc5c5b3a4d5e4; path=/; HttpOnly
    ETag: "b0860cf08817b135d34ecc5c574f62c0"
    X-Content-Type-Options: nosniff
    Cache-Control: private, max-age=0, must-revalidate
    X-XSS-Protection: 1; mode=block
    Server: nginx/1.0.15 + Phusion Passenger 3.0.12 (mod_rails/mod_rack)
    Content-Encoding: gzip
    
    EDIT: The only cookie in the cookiecontainer is 'mobile_view' why are the others not there/visible?
     
  9. programmingboss

    programmingboss Newbie

    Joined:
    Feb 17, 2013
    Messages:
    7
    Likes Received:
    0
    Got it, finally. You can get the raw header text with;
    Code:
    Response.Headers.ToString
    
    And now I can see the raw headers I posted above. Still don't know why .NET wasn't putting those cookies in the container but now I can manually at least.
     
  10. hatemachine

    hatemachine Regular Member

    Joined:
    Jan 14, 2011
    Messages:
    271
    Likes Received:
    1,137
    The official .NET CookieContainer implementation has been broken for years, better do it yourself.
     
    • Thanks Thanks x 1