Faking Forms Authentication in Silverlight

In a website that implements Forms Authentication Silverlight fits in very easily – Forms Authentication leaves a cookie on the client – and Silverlight just picks it off if you’re using the Browser Stack (which you normally would). In other words – It simply works.

However, many times you would like to do the authentication yourself – that is – to fake an HTTP Post so that you can authenticate to a server without having the user actually fill the form and submit it – you’d like to do it programmatically in Silverlight.

My first thought was doing the following:

WebClient wc = new WebClient();
this.completed = Completed;
wc.UploadStringCompleted += new UploadStringCompletedEventHandler(wc_UploadStringCompleted);
wc.UploadStringAsync(new Uri("http://MyServer/login", UriKind.Absolute),
String.Format("username={0}&password={1}", user, pass));

Using WebClient, we can call UploadStringAsync to upload a list of parameters (those usually would be the form fields – in this case it’s username and password), and thus fake the HTTP Post of the form.

It worked like a charm for a few hours, and then one of the programmers in the team started getting Access Denied from the server. It took me quite some time to realize why… (and a lot of fiddling with fiddler)

I took snapshots of the http activity on my computer and on the computer of the other programmer, only to find out the my computer was creating a slightly different web-request. It was adding content-type header:

content-type: application/x-www-form-urlencoded

Read more: Lego for grownups

Posted via email from Jasper-net