Do SOAP-based web services see clients' cookies?
-
Hi all. I hope this is the right forum section for this kind of question. My production environment gives the user a cookie that contains encrypted authorization data. My web service (which does not produce the cookie) is expected to read the value of the cookie, do some magic with it, and extract the name of the authorized user. That's what they give me. A cookie. The client side calls my service via SOAP and passes the cookie value through the "Cookie:" header. All other headers are seen by the service, but "Cookie:" is not. (I can see that Context.Request.Cookies is empty, and Context.Request.ServerVariables contains all of my headers except "HTTP_COOKIE".) I can even pass my cookie data in another header, as long as it's not called "Cookie:". It sure looks as though .NET doesn't want services to see cookies, to the point of filtering out the "Cookie:" header when it's sent. My question is--am I crazy, or does the .NET Framework remove cookies from SOAP web service requests? And if so, is there a way to override that behavior, other than by building an equivalent to the "Cookie:" header and parsing it on the service side? Again, the user is already authenticated through another mechanism, they already have the cookie, and I'm supposed to use the cookie to figure out who's making the request. Thanks in advance for any insights as to how .NET Framework handles cookies on web service requests.
-
Hi all. I hope this is the right forum section for this kind of question. My production environment gives the user a cookie that contains encrypted authorization data. My web service (which does not produce the cookie) is expected to read the value of the cookie, do some magic with it, and extract the name of the authorized user. That's what they give me. A cookie. The client side calls my service via SOAP and passes the cookie value through the "Cookie:" header. All other headers are seen by the service, but "Cookie:" is not. (I can see that Context.Request.Cookies is empty, and Context.Request.ServerVariables contains all of my headers except "HTTP_COOKIE".) I can even pass my cookie data in another header, as long as it's not called "Cookie:". It sure looks as though .NET doesn't want services to see cookies, to the point of filtering out the "Cookie:" header when it's sent. My question is--am I crazy, or does the .NET Framework remove cookies from SOAP web service requests? And if so, is there a way to override that behavior, other than by building an equivalent to the "Cookie:" header and parsing it on the service side? Again, the user is already authenticated through another mechanism, they already have the cookie, and I'm supposed to use the cookie to figure out who's making the request. Thanks in advance for any insights as to how .NET Framework handles cookies on web service requests.
Mark Schumann wrote:
My question is--am I crazy, or does the .NET Framework remove cookies from SOAP web service requests?
I don't know the answer to that. If you really must know grab one of the several free packet sniffers and take a look at what is actually transmitted. That said, something is not correct in your scenario. The SOAP message should be designed to carry that information and not rely on something like cookies since SOAP is not reliant on HTTP as it's transport.
led mike
-
Mark Schumann wrote:
My question is--am I crazy, or does the .NET Framework remove cookies from SOAP web service requests?
I don't know the answer to that. If you really must know grab one of the several free packet sniffers and take a look at what is actually transmitted. That said, something is not correct in your scenario. The SOAP message should be designed to carry that information and not rely on something like cookies since SOAP is not reliant on HTTP as it's transport.
led mike
Good answer--why am I expecting SOAP to carry my HTTP headers in the first place? :rolleyes: Thanks for the perspective, and for the smack in the head. What do you think would be "best practice" if I want to push the contents of that cookie (which is all the authentication system gives me to work with) to my web service? I'm thinking it should be just another element in the SOAP request. Is there a more elegant way to do what I'm trying to do?
-
Good answer--why am I expecting SOAP to carry my HTTP headers in the first place? :rolleyes: Thanks for the perspective, and for the smack in the head. What do you think would be "best practice" if I want to push the contents of that cookie (which is all the authentication system gives me to work with) to my web service? I'm thinking it should be just another element in the SOAP request. Is there a more elegant way to do what I'm trying to do?
Mark Schumann wrote:
What do you think would be "best practice" if I want to push the contents of that cookie (which is all the authentication system gives me to work with) to my web service?
http://msdn2.microsoft.com/en-us/library/ms951273.aspx[^]
led mike
-
Mark Schumann wrote:
What do you think would be "best practice" if I want to push the contents of that cookie (which is all the authentication system gives me to work with) to my web service?
http://msdn2.microsoft.com/en-us/library/ms951273.aspx[^]
led mike
Outstanding, Mike--that's exactly what I was looking for! I appreciate your help on this.
-
Outstanding, Mike--that's exactly what I was looking for! I appreciate your help on this.