Can't get to cookies that i can see via curl

EricZimmerman · November 1, 2017, 6:45pm

If i make this request via curl:

curl -i --silent -D - -o /dev/null --data “username=eric.zimmerman@foo.com&password=aPassword” mediashuttle.net - Redirect Page

i get back this:

HTTP/1.1 302 Found
Content-Type: text/plain; charset=utf-8
Date: Wed, 01 Nov 2017 18:13:41 GMT
Location: mediashuttle.net - Redirect Page
Server: Apache-Coyote/1.1
Set-Cookie: sso_authToken_ABigLongNumber; Domain=.mediashuttle.com; Secure
Set-Cookie: admin_authToken_eric.zimmerman%40kfoo.com=aGuid; Domain=mediashuttle.com; Secure
Set-Cookie: loginSuccess=true; Secure
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: keep-alive

but if I try to post my username and password via ServiceStack, I can never see the sso_authToken and admin_authToken cookies, only this one:

JSESSIONID=F7903BF; Path=/; Secure; HttpOnly

So, how can I get to see ALL the cookies that get sent so I can get access to the admin_authToken cookie via one of the SS clients?

when I was playing with HttpClient, I did see these cookies buried way down in the HttpClientHandler object. in cookiecontainer/m_domaintable in the .mediashuttle.com item

Thanks!

mythz · November 1, 2017, 9:04pm

Please note ServiceStack Service Clients are only for consuming ServiceStack Services, you can use the opinionated HTTP Utils to consume 3rd Party APIs, where you can access response cookies in a response filter:

url.GetStringFromUrl(responseFilter: res.Cookies)

The Service Clients do implement GetCookieValues() where you can access Cookies in a string dictionary:

var cookies = client.GetCookieValues();

Or you can get direct access to the CookieContainer with:

client.CookieContainer

EricZimmerman · November 1, 2017, 9:33pm

sorry if I am being dumb here, but this isn’t clear to me.

if i do this:

var login = new NameValueCollection
{
{“username”, “eric.zimmerman@foo.com”},
{“password”, “PW”}
};
var response = “mediashuttle.net - Redirect Page”.PostToUrl(login.ToFormUrlEncoded(),
responseFilter: httpRes =>
{

                Debug.WriteLine(httpRes.Cookies.Count);

});

Cookies.Count is 0

i plan to use DTOs i roll for this generic REST client using SS, but getting the auth token from the cookies is hanging me up

can you provide a snippet of code using SS or related utils that emulates what is happening in that CURL call?

mythz · November 1, 2017, 10:14pm

What are the Request/Response HTTP Headers when using the Service Client? You can use Fiddler or WireShark to view the raw HTTP Request.

EricZimmerman · November 2, 2017, 11:42am

using JsonHttpClient:

POST /admin HTTP/1.1
Accept: application/json
Content-Type: application/json; charset=utf-8
Host: something.mediashuttle.com
Content-Length: 62
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

response:
HTTP/1.1 302 Found
Content-Type: text/plain; charset=utf-8
Date: Thu, 02 Nov 2017 11:39:20 GMT
Location: mediashuttle.net - Redirect Page
Server: Apache-Coyote/1.1
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: keep-alive

when it follows the redirect i get the jsession thing.

if i do this:

 var response = "https://something.mediashuttle.com/admin".PostToUrl(login.ToFormUrlEncoded(),
            responseFilter: httpRes =>
            {

                Debug.WriteLine(httpRes.Cookies.Count);

});

on the first connect i see:

POST /admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: /
Accept-Encoding: gzip,deflate
Host: something.mediashuttle.com
Content-Length: 54
Expect: 100-continue
Connection: Keep-Alive

with response

HTTP/1.1 302 Found
Content-Type: text/plain; charset=utf-8
Date: Thu, 02 Nov 2017 11:41:27 GMT
Location: mediashuttle.net - Redirect Page
Server: Apache-Coyote/1.1
Set-Cookie: sso_authToken_guida=guid; Domain=.mediashuttle.com; Secure
Set-Cookie: admin_authToken_eric.zimmerman%40kroll.com_guid; Domain=mediashuttle.com; Secure
Set-Cookie: loginSuccess=true; Secure
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Length: 0
Connection: keep-alive

after the second one follows the redirect i only see the jsession thing.

so the cookies are there with the posttourl thing, but how can i go about actually get to them to pull a token out?

EricZimmerman · November 2, 2017, 11:47am

this

        var response = "https://something.mediashuttle.com/admin".PostToUrl(login.ToFormUrlEncoded(),
            responseFilter: httpRes =>
            {

                Debug.WriteLine(httpRes.Cookies.Count);

            }, requestFilter: req => req.AllowAutoRedirect = false);

does not result in any cookies being populated in httpRes either

i think i figured out how to do it via HttpClient in conjunction with an HttpClientHandler when setting allow redirect = false. have to use response.Headers.GetValues(“Set-Cookie”) and i get back an array of 3 strings.

this also works with

responseFilter: httpRes =>
{

                Debug.WriteLine(httpRes.Cookies.Count);

using the same method, but why don’t the cookies actually populate? strange

if you take out the AllowRedirect = false it also fails to populate the cookies at all.