problem
When writing Internet applications, you often need to process user login. In general, for this situation, we use programs to simulate users to fill in the username, password and submit on the web page. When the user entered the username, password and submit on the web page, it is actually triggered a POST request, including information such as username, password, etc. in this request. Therefore, we basically be logged in as long as we package the relevant information into a POST request in the program and send it to the Web Server. Take MFC as an example, the following code simulates a login process:
CString strheaders = _t ("content-type: application / x-www-form-urlencoded");
// name = "sam", password = "123", action = "submit"
CSTRING STRFORMDATA = _T ("Name = SAM & Password = 123 & Action = Submit");
CinternetSession session;
ChttpConnection * PConnection =
Session.getttpConnection (_T ("ServerNameHere");
Chttpfile * pfile =
PConnection-> OpenRequest (ChttpConnection :: http_verb_post,
_T ("formactionhere"));
Bool result = pfile-> sendrequest (strheaders,
(LPCTSTSTR) StrformData, StrformData.getlength ());
This method is very effective for the ASP page, but for the ASP.NET page, sometimes it doesn't work, why?
the study
In order to find out the ASP.NET page, when processing logins, what is the difference between the ASP page, we need to use the Sniffer tool to track communication between web servers and browses. After tracking, the ASP.NET page is still sent to the server using the POST request after the user submits the login information. The difference is that there are more __viewstate other than the information such as the username, password and other information. If you add __viewstate, a __viewstate obtained by Sniffer can be successfully simulated. The next question is how should we get this __viewstate?
We know that the ASP.NET page has a ViewState property, and the ASP.NET uses it to save the status information of the page so that the state of the page can be restored when the page is submitted. It is defined by a hidden domain in the page. If you come view Source through your browser, you can see it as a row code:
Its value value is what we need, we only need to resolve this __viewstate from the login page, and our problem can be solved.
solve
Take a closer look, the value of ViewState is encoded. Whether it is removed from the page directly, and the login information consists of POST requests, sent to Server, what is the result? Failed L. Compare the results of Sniffer and the value of ViewState in the page, we will find that there is still some differences between them. It turns out that the ViewState value in the page source code is Base64 encoded, and when it is sent to the Web Server, in order to ensure the correct transmission, the browser converts it into a URL encoding, and after the web server receives ViewState, of course First, it will decode it from the URL encoded to the base64 encoding to the ASP.NET processing. It seems that we need to handle the value of viewState on the side of the URL encoding, so that the entire login process can be successfully simulated. reference
1. HOWTO: Simulate A form Post Request Using Wininet, Microsoft's KB article describes the implementation of analog POST request.
2. Getting started knowledge of asp .net maintaining the viewstate, ViewState.
3. ViewState: All You Wanted to Know, in-depth discussion on ViewState.
4. ViewState Parser, want to see what the decoded viewState is like? Try this Parser.
5. Discussion in Bo Hall, this is the blog written in the blog in the process of solving this problem.
