Login to a site with sending POST request

Question

There is a site with this form for login :

    <form action="****" method="post">
<input name="token" type="hidden" value="QgS9Rs/nBnba" />
    <div class="userName">
                        <strong>User name</strong>:<br />
                        <input type="text" name="UserHandle" id="nameOrEmail" />
                    </div>
                    <div class="password">
                        <strong>Password</strong>:<br />
                        <input type="password" name="Password" />
                    </div>
                    <div>
                        <input id="login" type="submit" value="SignIn" name="Login" />
                    </div>
    </form>

When i copy this section of page in a .html file on my computer,then open it by some browser, then i input username and password , i can login to site properly. But i need to login to the site with C#, so i implement this code :

 WebClient wc = new WebClient();
            byte[] resp = wc.UploadValues("***", new System.Collections.Specialized.NameValueCollection
            {
                {"token",tokenVal},
                {"UserHandle","my username"},
                {"Password","my password"},
                {"Login","SignIn"}
            });
            string _response = Encoding.ASCII.GetString(resp);

The tokenVal has valid data and i trust it. Any idea?

have you checked if your server checks/sets cookies and/or browser headers to avoid login from simple script? what you get in `string _response`? — bansi, Dec 31 '13 at 08:18
Use HttpFox, a Firefox plugin, for a better understanding of the login process. I'm not a C# guy, but it would be simpler to mimic the client request once you have seen it :) — elbuild, Dec 31 '13 at 08:21
Or use Fiddler (http debugger for any browser on Windows/any platform that can use proxies) and compare requests/responses send by browser and your program. — Alexei Levenkov, Dec 31 '13 at 08:21
@bansi no i don't check,in response i get a error for login to the site — Saman Gholami, Dec 31 '13 at 08:23
@AlexeiLevenkov I monitor with Fiddler , but it doesn't show post request and it seems some cookies are in the request.what should i do know? — Saman Gholami, Dec 31 '13 at 08:57
Fiddler shows all requests (POST/GET over HTTP/HTTPS). Make sure you set proxy properly for your C# code and not use localhost as target: http://stackoverflow.com/questions/3896601/how-to-use-fiddler-to-debug-traffic-from-any-app-eg-c-wpf-app — Alexei Levenkov, Dec 31 '13 at 09:00
@AlexeiLevenkov I see the requested posted by Fiddler, it's same as my request.do you know the server able to identified my request not send by browser and prevent me? — Saman Gholami, Dec 31 '13 at 10:04
Fiddler does not "post requests"... You need to capture request send by browser (that works) and one sent by your program (that does not work) and carefully compare. Servers can't distinguish identical requests send by browser or something else. — Alexei Levenkov, Dec 31 '13 at 20:32
@AlexeiLevenkov Yes, you right.it worked.thanks. please prepare your comments as an answer that i choose for the best answer — Saman Gholami, Dec 31 '13 at 20:49

score 1 · Accepted Answer · edited May 23 '17 at 11:49

Servers can't distinguish identical requests send by browser or something else - so as long as your request generated by C# is similar enough to one created by browser it will be accepted by server.

Where main differences usually come from:

cookies (browsers automatically manage cookies, custom code needs to carefully get cookies from responses and send in future requests)
dynamic fields on pages (like AntiForgery tokens)
wrong encoding of the request by custom code (especially if using lower level objects like WebRequest to send request)
user agent (unlikely, but possible)

How to compare requests: use tools that capture traffic and compare working requests to one that do not produce expected results. There are many around with Fiddler being my favorite.

With Fiddler browser request will be automatically captured. For C# (or other automated code) one may need to set proxy to point to Fiddler (unless tool uses default system proxy). Instructions can be found in this question - How to use Fiddler to debug traffic from Any app (eg. C#/WPF app).

Pay attention no error codes returned by server - often it is pretty clear if request is completely wrong (400/500) or you get authentication information wrong (403/401) or there some sort of multistep process to authenticate (301/302).

Login to a site with sending POST request

1 Answers1