Hello Harry,
I am using the System.Net.WebRequest class to hit a URL from within my
web application and stream out the html returned. I am using forms
authentication, and instead of getting the page I have requested, I am
getting my login screen. I assume the solution to this problem lies
in the Credentials property of WebRequest, but I am not sure what I
need to set it to. I am calling this from a page that is already
authenticated, so if I can just get the creditials from the current
page, that should do it, right?
This probably won't work
I'll try to explain why.
The normal request will go like this:
user <-> webserver
1 user: requests page.aspx
2 webserver: looks for valid cookie and redirects user to login.aspx
3 user: request login.aspx
4 webserver: server transfers login page to user
5 user: submits login.aspx
6 webserver: handles login, redirects to page.aspx, passes a cookie or url
variable
7 user: reqests page.aspx and sends cookie back to server
8 webserver: server validates cookie and transfers content of page.aspx
Now in your scenario the server does a request to itself from page.aspx.
Let's consider that the user already authenticated himself, so we can skip
all the way to step 7
user <-> webserver <-> webserver
7 user: reqests page.aspx and sends cookie back to server
8 webserver: server validates cookie
9 webserver: requests page.aspx from itself
10 webserver: looks for a valid cookie, finds none and redirects itself to
login.aspx
You might think it would be easy to fix this by authenticating (like you're
trying to do) or by sending the cookie along, but:
- authenticating has nothing to do with this scenario, but with server authentication
(integrated security). Forms authentication is actually just not authenticated
by the server, but by the application.
- sending the cookie along might do the trick, but I believe that the cookie
contains information about the originator (like IP address) and that the
cookie won't match the IP of the sever (which of course differs from the
user's IP).
To solve this there are a few easy solutions:
1) use a usercontrol instead of a second page include that on the original
page.
2) place the second page in a seperate folder only accessible from IP 127.0.0.1,
that prevents anyone else accessing it except apps on that server. You can
then exclude this folder from forms authentication in the web.config
3) response.redirect the user to the second page, or use server.transfer
to preserve the original url.
4) use an iframe or a normal frame to include the contents of the second
page within the first one.
