5

What I want is the following:

1) Login at a page using Internet Explorer

2) Have my software which uses WinInet API to crawl a site reuse the same cookies/session (i.e. so the crawler is "logged in")

I have tried build login myself using INDY, and while session cookie logins works well, many websites use a more complicated login mechanism nowadays combining client and server side stuff for the initial login.

...

The reason I believe that e.g. WordPress , ASP.Net etc. uses client-side/AJAX stuff as well with hash/time/useragent codes/checks and similar, is that I can be sending the exact same HTTP headers 30 seconds later from my own crawler program as e.g. FireFox used during a login, but it won't work.

(Compare this to normal logins based on session cookies where my own crawler program will login fine.)

Tom
  • 3,587
  • 9
  • 69
  • 124
  • Internet Explorer uses WinInet internally, so it already shares everything with other WinInet-based apps. – Remy Lebeau Feb 19 '13 at 22:31
  • I hoped so as well. But if you login using IE at WordPress following by using WinInet, it does not appear to be logged in any longer. If what you say is true, I suspect the reason may be user agent changes or similar is detected by WordPress? – Tom Feb 19 '13 at 23:30
  • Quite possibly because what you are doing could also be done by malware to take control of the account or whatever it is you are accessing. – Marjan Venema Feb 20 '13 at 07:17
  • 1
    Apparently WinInet handles cookies on a per process base: http://stackoverflow.com/questions/443567/how-does-wininet-handle-cookies?rq=1 – Jens Mühlenhoff Feb 20 '13 at 10:44
  • I guess that essentially kills the idea of asking the user to login with Internet Explorer first. I am still open for suggestions though. – Tom Feb 20 '13 at 16:34
  • wild guess: Have you tried to read cookies via InternetGetCookie/Ex – kobik Feb 20 '13 at 17:22
  • kobik: But would that help WordPress recognize is as the same logged-in session? (Even if I myself read the cookies from and on the client, that is not the same as e.g. WordPress reads the cookie on the client as belonging to the same session?) – Tom Feb 20 '13 at 17:41
  • 1
    I never tested it. If you could get your hands on the `ASP.NET_SessionId` via InternetGetCookie/Ex you might be able to set it in your WinInet request via InternetSetCookie/Ex. (for HttpOnly cookie use INTERNET_COOKIE_HTTPONLY flag). Try it... :) – kobik Feb 20 '13 at 22:07

1 Answers1

2

It seems IE does not share "internet cookies" by default. In Tools > Internet options > Security, there are different zones. Internet zone is protected mode enabled by default and you cannot access this cookies using the Wininet API. However, the Local intranet zone is not protected mode enabled by default, so you access this cookies using the Wininet API.

The protected mode cookies are stored in %appdata%\Microsoft\Windows\Cookies\Low and not protected mode cookies are stored in %appdata%\Microsoft\Windows\Cookies.

To fix your software, uncheck the Enable protected mode from the Internet zone, restart IE and log in at your website to acquire the cookies again.

kiewic
  • 15,852
  • 13
  • 78
  • 101