I have been trying to figure this out all day. I have an one application that forwards to another application in order to handle logins. The first application redirects to a webAPI URL. That url then takes one of the parameters and creates a token. It then sends a 403 response with a Set-Cookie Header. The cookie that is sent is that header is never being set.
After a bunch of research I thought that It might need a P#P header so I have tried various combinations of that.
Here is the Code:
Public Function Authenticate(t As String, forwardURL As String) As HttpResponseMessage
Dim resp As New HttpResponseMessage()
If VestigoBusinessObjects.UserToken.IsValid(t, EncType.AES) Then
Dim user As New UserToken(t, EncType.AES)
user.ResetExperation()
'Create usertoken cookie
Dim Cookie = New CookieHeaderValue("t", user.GetEncTicket())
Cookie.Expires = DateTimeOffset.Now.AddDays(1)
Cookie.Domain = Request.RequestUri.Host
Cookie.Path = "/"
resp.Headers.AddCookies(New CookieHeaderValue() {Cookie})
resp.StatusCode = HttpStatusCode.RedirectMethod
resp.Headers.Location = New Uri(forwardURL)
resp.Headers.Add("Pragma", "no-cache")
resp.Headers.Add("Cache-Control", "no-cache")
Return resp
End If
resp.StatusCode = HttpStatusCode.Unauthorized
Return resp
End Function
Here are the headers that I see being set back in the browser:
Request URL:deleted because it won't let me post them?
t=bB%2B%2FpRLq%2BzobRcXgQuw5rjMa8Yeb1Wxb7qIZCtjLfwiN8RNT%2BQYjzIuWI9j3JPn4qnpXpgK%2F%2B6ucL96lBmpD6ryIbFJvP3yPOfJjXuZsECfWlj58etczEco79q0SNJj0c%2BwKLREh5FWMfTvN%2BQxSn8nMEr6JzS06CuPizM1k0Kef52ZrHVkxHDv6qVyGLJrxRFebwbpFT0LNMCCihJ%2BZ%2FbmfvvKl9lfg18vHT8nhL1dDtAlR0Fd%2FdSuB5L6Yg3Yj%3F%3FHKZNy0zYBTVwdL7NXMFGXw%3D%3D&forwardurl=http%3A%2F%2Flocalhost%3A4644%2FInternalMonitor.html
Request Method:GET
Status Code:303 See Other
Remote Address:[::1]:4644
Response Headers
Cache-Control:no-cache
Content-Length:0
Date:Tue, 29 Nov 2016 22:58:11 GMT
Location:deleted because it won't let me post them
P3P:CP="IDC DSP COR IVAi IVDi OUR TST"
Pragma:no-cache
Server:Microsoft-IIS/10.0
Set-Cookie:t=5524596D26C583E9DEAC935880DD6FE40D579B362A63EECE67942CD0DCEDDE47D5B6B367AF3547A93E4F309C12F2607EED1F02E19D698D2BAD97E6E9BB1FD807EF331842AEA6B62CE0BFF90206F62B31EAAB5035BD26BC66B89D1A8A676E47FB2CD007B5644487781D79DD0D26454B16E60EF96E6034EA350F8190C0317BCF3CA0875EAA41795014F1F1430E55E79E56E911BA097F09E89DAF3BC86BFE8E5EC6E74C72CDB500005E0E0FDA6E2B394A8400DDB63C4B33EA755D0D083A87B5B1244F1529353FE758EF666ECBA57BEE50AF4D319AB42F1183A3244E01AF87A3F9CADF8861DC29497945052CC568E6B4D996A9E0F8139CEEF4DCCCBB1990F138F735D2FC6FEFA352430FE9CB999926A47EA374E87895F8079F3C0550A45000EF26E030E14CE814E823BCC788E4882CCBCC795FAAC7C9BC4D7A5BEBD902CF79900296D61DC277A2CC375AEBE3FEAF6E605CC167DF757A8805332C33E32A6B8DECF3C92DCB96B7A4E015499D6B5FFB807FAA69408A74EFE323C58C796027ED89D39E4F6C22B3865B301B7B1BF77C1CA4B2AD39B245E9B0388B3D2D3D9C33DFD577ED633F9AB82AC2A63DA608BBCA32FFCEC96FE7CB299930674745018B81BE606C6181F0A5C94AA6DB025A6B5829ABCABD4A7A075BE33246CBE151D320904AA3643C6AE7E4DBA553500AB19522970036DA64323E1A4352241DB8CF4FEE6FE121135DC9364F8A2C3ADA4346BAFBF8B18F7875F3; expires=Wed, 30 Nov 2016 22:58:12 GMT; domain=localhost; path=/
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
X-SourceFiles:=?UTF-8?B?
YzpcVEZTXFZlc3RpZ29cVGVzdFxDZW50cmFsTW9uaXRvclxhcGlcQXV0aGVudGljYXRpb25Db250cm9s
bGVyXEF1dGhlbnRpY2F0ZQ==?=
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0. 8
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Cookie:ASP.NET_SessionId=cnru1r4g0svzeomwglkwestw; .ASPXAUTH=1566301093F4FC41F147432F8A4B044E3A19EFC46C47A1BE54F95A98E08EE8952197E5212230F0416776480CA3496036DCA0C0B8AEF0D08675D4B20E655E107F055E1D60150BF84334F65FE63E134B0252EF3B8F02E1E0BC372DBA80006300215AAE095F4333F48BB04D0DF315D825BF1A1B0F27A81E32E82ACEEA791BF11551A8F96A1B0AED9EC11EEA5EF34AE03406; hoursDiffGMTTime=-5; ScreenResolution=1920x1080; BrowserResolution=1920x950; t=FDB5B335C4DCE820A037947D7A19D487FF44AB3CC2EA8E44FB6EA59FDA43E14BA53B0E455EED57C63040B8995C67C9B96146516B600B0ED4FC397DFFBE16FA259C554AC24A2CCBB99537FBA6BAC2F1F78031BD3F0D11FED97B57CB401738319890ACD128926B3DF05AEAE975979B18DE32A60795FB8360B4D1CB8517B7E34E7B14EF0EBE77036FA72504F3C2B12B2C147D6599C1357F2789A09134B9F2020F4A413E96A5DBE0E725E09EAEB82AB8DFAB212760E5D09501BC0AD9248119CAF245E2B448437529A7AF72725E0DB2EA2975915D934B13E6226C4DF0D1E4426B25DA6822F1D678127B30736355B645729501888C5079629052467C5AB0458709AEE6B3BA04363951DDDCE33DA656C5B1E3979A7BFD182459074B3588856A0859FCFBC5EB95A6BF8C6ECAF9623E8A2E167580191C1C3BE89446FA212E0E908578DC7CE1E99F11CCD460A2E07E1D53F25DA96AFD92D9D13B753C80015E7E2722A1F473D1E958CA0FA19DA3F959E4A813D55C8468B8A16F959C7F3469D71F6433282FE5C03B5FFEE32ED2739CBB4ECBF79D8573769F497A954B58611F7FB9D3EB256492675F36523E6557545FC9AFD27A04360835AD5DC54CE94372FAB5830AEB7FAE086E1D13837ADB91EEC76C0F12614524E98B0D5B0C6D833490D280F62FDBF69706896D9B5EDDD2B59C8DF3A82CEF4475941A319BBD03FB4C16522B5188081943EDFEB0DFD857FB853D903B036DF66F0B9F
Host:localhost:4644
Pragma:no-cache
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Query String Parameters
t:bB+/pRLq+zobRcXgQuw5rjMa8Yeb1Wxb7qIZCtjLfwiN8RNT+QYjzIuWI9j3JPn4qnpXpgK/+6ucL96lBmpD6ryIbFJvP3yPOfJjXuZsECfWlj58etczEco79q0SNJj0c+wKLREh5FWMfTvN+QxSn8nMEr6JzS06CuPizM1k0Kef52ZrHVkxHDv6qVyGLJrxRFebwbpFT0LNMCCihJ+Z/bmfvvKl9lfg18vHT8nhL1dDtAlR0Fd/dSuB5L6Yg3Yj??HKZNy0zYBTVwdL7NXMFGXw== forwardurl: deleted because it won't let me post them
Any input would really be appreciated.