how can c# webpage read cookie placed by a batch job?

[Jason Shohet]

I've asked this on the asp ng, but couldn't get any advice, wondering if
anyone here can help...

GOAL: place a .NET cookie, in a user's cookie folder, containing the
machinename of the current machine the user is on. Then various .NET apps
will be able to compare a value in our db, and see if the user is allowed to
work on that machine.

So far, in the computers' startup routine (when the computer is logged
into), each computer writes the text to the appropriately named cookie file,
in that user's cookie folder. We've gotten this far.
The problem - .NET can't read it. I believe it has to do with hidden
characters. ie, take a look at a .NET
cookie. After the second 'e' in ClientInfoCookie, there is a hidden
character. You'll notice it by spacing over, it spaces twice at that point.
Also, after 'localhost/' there's a hidden character, and before the first
'*' there's a hidden character. But the Echo command that the network
engineer is running, strips out hidden characters. Could this be why we
can't read the cookie?

Anyone have any experience doing what I'm trying to do? An easier way
perpaps. Maybe I can use a javascript cookie, and have the machine name &
currentuser placed in there. Can .NET read a JS cookie perhaps...

TY Jason Shohet

 

[Colin Young]

If you are trying to prevent users from using specific workstations, why not
use the built-in Windows policy mechanism? That's what it's designed for.

Colin

 

[N.K]

Jason,

The correct way to get cookie and set cookie is use InternetSetCookie
function and InternetSetCookie function. If there is no expiry set for
cookie , cookie will become process level and if there is cookie will
stay in users cookie folder.

You need to use interop to call those Wininet functions.

[DllImport("wininet.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool InternetGetCookie(
string lpszUrlName,
string lpszCookieName,
StringBuilder lpszCookieData,
[MarshalAs(UnmanagedType.U4)]
ref int lpdwSize
);


[DllImport("wininet.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool InternetSetCookie(
string lpszUrlName,
string lpszCookieName,
string lpszCookieData
);


Sample code to set a cookie ( persistant)
InternetSetCookie(url,"Nirmal","aaa;expires = Sat, 01-Jan-2000
00:00:00 ");


I am not sure if this is what you want to acheive, Post if you need
more help.



Cheers
Nirmal

 

[Jason Shohet]

So you're talking about the startup routine when Windows loads up, it can
call Wininet functions? I've never seem what you're showing me below, but
I'm going to check if our guys can do it!!! Are you saying that
InternetSetCookie ( ) can be called during the startup routine -- its not
DOS commands (like Echo etc) from a .Bat file is it? TY very much!!!

 

[Jason Shohet]

The network engineers refuse to turn on Netbios, and I believe thats
required to go after Active Directory (we're a total AD shop, everyone's got
windows 2000 etc).

 

[Jason Shohet]

hi. I'm digesting this now. What is the 'URL' parameter? What goes in
there.
Also, if I logon to the machine as shohetj, is that what goes into the
CookieName parameter?

my thinking is it goes like this:

InternetSetCookie(url, "shohetj", "w2k-shohetj; expires = Sat, 01-Jan-2000
00:00:00");

Where shohetj is the cookiename, w2k-shohetj is my computer's machinename,
and url -- i have no idea!
TY for the help

 

[Colin Young]

Are you trying to prevent users from using any application on specific
machines, or just some specific browser-based applications from specific
machines? Maybe if you express your goal in terms of the actual goal,
instead of a solution you'll get a better solution. It seems to me that what
you should be doing is securing the individual workstations using the
existing mechanisms rather than trying to roll your own security solution.

Colin

 

[N.K]

url is the url to which you need to set cookie. Cookies are generally
assigned against a domian and optionally path.

For eg, if you want to assign cookies which needs to be sent for
http://www.test.com

url = "http://www.test.com"

 

[N.K]

Though i am explaining you the way to set cookies, it will be much
better if you post your actual problem here as suggested already in
this thread...

 

[Jason Shohet]

Colin, NK,

Thank you for helping me muddle thru this. YES, I am trying to prevent
users from accessing 1 particular applicationm -- a Timekeeping ASP.NET
application, on any machine -- besides their own.

ie: Joe has permission to access his Timesheet from his workstation only.
Mary from her workstation only.

Tactic 1: we keep the workstation assigned to each user in our database.
So I know Joe can log onto Machine abc. Mary on def, lets say. A cookie
containing the machinename, is written everytime someone logs on to a
machine. Lets say Joe logs onto Mary's machine. A cookie will go into
Joe's cookie directory on Mary's machine and write def. When he attempts
to access the asp.net timesheet app, the app reads from the cookie. It sees
def. The app looks in the db and sees abc assigned to Joe, and he is
refused entry into the system!
NOTE: we're not worried about someone modifying the cookie file because the
users are on the intranet, they don't have access to their hard drives etc.

Tactic 2: validate directly against ActiveDirectory (we're a w2k shop)!
Unfort, Netbios is not enabled on our network due to fears of extra network
traffic by the head network engineer. FWIK, Netbios is req'd for this to
work.

Thanks for the help again! Jason Shohet

 

[Jason Shohet]

i explained what i'm trying to do in response to Colin's question, above.
TY again for your help.
(BTW, I mentioned to the network engineers about Interop & Wininet, and they
never heard of it & have no idea how to access it during startup. Seems
like a bit of a rabbit hole! )

 

[Jason DeFontes]

If this is what you're trying to do, you don't need to mess with cookies
at all. You can use Request.UserHostAddress or Request.UserHostName to
figure out what machine the user is connecting from.

-Jason

 

[Jason Shohet]

Hi Jason,

Actually this joggled my memory about the netbios thing.
Request.UserHostAdress needs netbios, from what i know. I tried it a few
months back and it didn't work when the workstation has 'netbios disabled
over tcpip'. And our engineer downstairs feels netbios adds too much to
network traffic