Adarsh's blog : HttpWebRequest

Client side certificate with strong key protection and WebServices

adarshk — Thu, 17 Feb 2005 21:46:00 GMT

When you are writing application to run as service or middle tier, which is using client certificates. You should not enable strong key protection during certificate installation.

Strong key protection is the way you are informing the system that whenever someone want to use this protected resource (client certifcate) then prompt me for the permission. In middle tier environment you really do not want this prompt, you really want to run your application unattended. In fact with .Net frameworks 1.1, SP1 you won't be able to use the certificate with strong key protection.

Check the posting from Kevin W. Hammond about his experience on this issue

http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx

This posting is provided "AS IS" with no warranties, and confers no rights

Understanding HttpWebRequest Connection Management and ServicepointManager

adarshk — Sun, 02 Jan 2005 10:34:00 GMT

If you are looking for some information on understanding the basics of HttpWebRequest connection management and servicepointmanager, I just posted an article which could be useful for you.

http://blogs.msdn.com/adarshk/articles/345411.aspx

This is first in the series, in future posting I promise to provide more details about specific scenarios which include Http with authentication and proxy server and also for other protocols like FtpWebRequest and SmtpClient, which were added in .net frameworks 2.0.

HttpWebRequest.GetResponse() gives "HTTP protocol violation" error after .net frameworks service packs

adarshk — Mon, 08 Nov 2004 20:44:00 GMT

This blog is valid for users of .Net frameworks 1.0 SP3 and .Net frameworks 1.1 SP1

The error is really because server is sending response with bad header format, which violates the http protocol specifications. These changes had been made to disallow bad headers. Bad http header could cause security vulnerability based on response-splitting and other attacks based on misinterpreting HTTP streams.

However if your application still need to deal with such responses, you could roll back to old bahavior of relaxed header parsing. You need to use following app.config file.

This posting is provided "AS IS" with no warranties, and confers no rights

Using SSL client certificate in WebRequest and WebServices without certificate installation

adarshk — Wed, 01 Sep 2004 20:21:00 GMT

If you are using .Net frameworks 1.0 or 1.1, certificate must be installed on either User store or Machine Store. This posting is only valid for v2.0.

In version 2.0 (Currently released Whidbey Beta1) user have option to use the certificate which contain the private key without installing it on certificate store.

In general it is not recommended practice to store certificate as file and not install in certificate store. In some special cases user might not have access for certificate installation (e.g. Webbhosting site only allow ftp access to users). In such case you can store full certificate file (include private key) on a share and use it for client certiificate based SSL authentication.

System.Security.Cryptography.X509Certificates namespace provide classes to create X509CertificateEx instance with private key persistence like below

X509CertificateEx Cert = new X509CertificateEx();

Cert.Import(_certificateFilieName,_certificatePassword,X509KeyStorageFlags.PersistKeySet);

If you add X509CertificateEx instance as mentioned above to client certificate collection of HttpWebRequest or WebService instance, certificate base authentication would work without installing certificateon cetificate store of the machine.

This posting is provided "AS IS" with no warranties, and confers no rights

Establishing cookie based session with WebServices and HttpWebRequest

adarshk — Tue, 24 Aug 2004 23:18:00 GMT

Create cookie based session with HttpWebRequest

One common requirement for Http based application to maintain the session state within the application, if your http based application is using the System.Net.HttpWebRequest class, then you could use Cookiecontainer property to send and recieved the cookies. Important thing to note that you should create a single CookieContainer instance and use it across all applications

Following example code snippet shows the sending and recieving the cookies from client application.

CookieContainer myContainer = new CookieContainer();

// following line will add a cookie in container, which would be for all urls on the domain myDomainstr

myContainer.Add(new Cookie("name","value","/",myDomainstr));

HttpWebRequest request1 = (HttpWebRequest) WebRequest.Create(httpUrlString);

request1.CookieContainer = myContainer; // use this same container for all requests in your app

HttpWebResponse response = (HttpWebResponse) request.GetResponse(); //you can check cookies on response.Cookies

..........

...........

HttpWebRequest request2 = (HttpWebRequest) WebRequest.Create(httpUrlString2);

request2.CookieContainer = myContainer; //all relevant cookies recieved on request1 would be automatically included in request because of same Cookiecontainer instnce.

HttpWebResponse response = (HttpWebResponse) request.GetResponse();

Create cookie based session with WebServices

If application want to use WebServices with cookie based session variables to execute service (ex. UserId of current ASP.Net session). This could be done via using the CookieContainer class and no need to add extra parameter inside the webservice call.

Following code demonstrate the setting of userID on the webservice from client side, In this example adarshk_srv.RunSoap is the WebService proxy object on client side

adarshk_srv.RunSoap RunService = new adarshk_srv.RunSoap();

RunService.CookieContainer = new System.Net.CookieContainer ();

RunService.CookieContainer.Add (new Uri(RunService.Url),new Cookie ("userName",”adarshk");););

On the server side WebService implementor could access the cookies send by the client from the HttpContext as shown below

if(Context.Request.Cookies != null && context.Request.Cookies["userName"] == "adarshk")

{

// access data specific to adarshk

}

else

{

// return the general data

}

This posting is provided "AS IS" with no warranties, and confers no rights

SSL https requests with client certificates from ASP.NET

adarshk — Mon, 19 Jul 2004 23:10:00 GMT

Problem

Applications making https request from .net web applications (.aspx pages) are not able to use client certificates.

Cause

Client certificates are linked to user accounts, ASPX is running under ASPNET account, this account can’t access the certificates installed under user account or system account.

HttpWebRequest implementation only access the certificate only from account under which process is running or under System account. Most of the time when we install the certificate it is installed in current user account.

Possible Solutions

a) Run the service under the account which certificate is installed, but in real world this is not a feasible solution on production servers,

b) Install the certificate under System account and provide access to ASPNET service account, this could be achieved using following steps

a. Install certificate using MMC (Microsoft Management Console) or using certificate configuration tool as described in Microsoft KB article (http://support.microsoft.com/?id=823193 )

b. Tool is available at the following link

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

Make sure following, when installing the certificate

1) Certificate contains the private key, otherwise it can’t be used for client authentication, .cer certificate files only contain the public key, you need to have certificate with .pfx or .p12 file,

2) Make sure you are installing certificate in “My” store of the system account, following command is an example of installing certificate in “My” store of “System” account with extending access to aspnet account, follow the above link for more detailed description and usage of certificate configuration tool

WinHttpCertCfg -i mycert.pfx -p certpassword -c LOCAL_MACHINE\my –a aspnet

Note: Solution discussed here would work on .Net frameworks v1.0 with SP3 or v1.1 with SP1 install, on previous versions of frameworks clientcertificate were used only from current User store not from System acount.

This posting is provided "AS IS" with no warranties, and confers no rights