Ok, I do an intial request with no cookie info, I get back
Set-Cookie: ASP.NET_SessionId=5zaasakdhaksfg34; path=/
So on my next request, which is a POST of the login username and
password I include the session id variable. The login succeeds and
rerturns more cookies:
Set-Cookie:MyAppp=YF3H0HFFFFKOJF034J439FJ09
Set-Cookie:MyAppp=KSAJDDD7AS6D7A6D7ASTDASTD
So on my next GET request I include
Cookie: ASP.NET-SessionId=5zaasakdhaksfg34;
MyAppp=KSAJDDD7AS6D7A6D7ASTDASTD
The MyAppp seems to come from web.config - possibly related to forms
based authentication?
This is as far as I get - further requests for pages (mimicking my
browser) using the returned ids gives me errors:
HTTP/1.1 403 Forbidden
What could I be missing - what are the 403 errors specific to - lack
of authentication?
"Roger Willcocks" <Ro****@l-space-design.com> wrote in message news:<c1**********@lust.ihug.co.nz>...
Make an initial request to the server, no cookie, to an unsecured page
then the response should contain a Set-Cookie: header that will tell you
what to use.
ASPSESSIONID<STUFF> is for ASP not ASP.NET session management
the <STUFF> bit changes every time the server/site process restarts
"Tim Smith" <ti*******@hotmail.com> wrote in message
news:a7*************************@posting.google.co m... Hi,
We have an ASP.NET web application which is suffering performance
problems. Since setting up robot scripting interacting with the
browser would take a while I hoped I could open a two-way socket with
IIS and replicate the HTTP session information e.g. starting out with
POST /192.168.1.1/login.aspx HTTP/1.1\r\n
Accept-Language: en-us\r\n
ontent-Type: application/x-www-form-urlencoded\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET
CLR 1.0.3705)\r\n
Host: 192.168.1.1\r\n
ontent-Length: 68\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Cookie: ASPSESSIONIDAAATDTQR=OGEFBLJCPEPCNFHMJGPHBCDJ;
ASP.NET_SessionId=ko3ozjqyqb1lbu454cxrf3ft;\r\n
\r\n__EVENTTARGET=&__EVENTARGUMENT=&usersid=abcde& passwd=12345&test=Login
When I network sniff IE I see the ASPSESSIONIDAAADTQR, without it I
get a security timeout from the server. I could probably comment out
that code but can I generate than value from somewhere?? Do I need
more than the SessionId to make this work. Is this all even possible?