Sample forms authentication test in C#

This sample test is doing the following:
1. Sending request to a page which requires forms authentication. This results in 302 to login page.
2. Send request to login page.
3. Parse response from 2 and create response entity containing username/password to be used in next post request to login page.
4. Do a POST to login page. If successful this should return a 302 with Set-Cookie and location header.
5. Send request to location pointed to in last response (this is original page we requested in 1) with request cookie as returned in 4. Read more ...

View the original post


  • cvbcvbvcbcvb

  • Pretty Interesting. Tried it!

  • Hi Singla

    I have used your code for testing a forms authentication.
    The last request.GetResponse() (see below) including the cookie exits always for timeout. I am sure about the url so that I would ask you your opinion about the solution of this drawback.
    Best regards.

    // Send request to originalUri with the cookie
    // We should be able to see originalUri contents
    //Requesting http://localhost" + locationHeader + " with cookie");

    request = (HttpWebRequest)WebRequest.Create("http://localhost" + locationHeader);
    request.AllowAutoRedirect = false; request.Headers.Add(HttpRequestHeader.Cookie, cookie);
    response = (HttpWebResponse)request.GetResponse();

  • Maurizio,

    Can you try disabling forms authentication and sending a request so that you can know if problem occurs only in forms authentication scenario or if there is some wrong with application?


  • Kanwaljeet,

    This was exactly what I was looking for. Thanks for this.

    Just a question though, what was the point of this section of code

    Stream requestStream = request.GetRequestStream();
    requestStream.Write(requestData, 0, requestData.Length);

    Also, I haven't really figured this out yet, but when is the postString (with username/password) stored in the request? I only see the code that determines the lenght of it.

  • I have tried your app and I can get logged in and I see the asp.ASPXFORMSAUTH cookie is returned and I include that ticket on my post back and I get returned back to the logon.aspx page again.

    I modified the code to include a CookieContainer object to store the cookies that is returned and return the associated cookies and can tell that the cookies are getting added to the container and a Status Code 500 is returned. Is there any way you can post a working sample? I have screwed with this for about 3 or 4 days now and can not get it working.

    Thanks in advance.

  • Steven,

    request.GetRequestStream() is called for the POST request and the returned request stream is then to put the data which need to be sent to the server. requestData is the postString containing username/password and requestStream.Write() call is puting this poststring in request.


  • Dale Sides,

    If I understand you correctly, you want to make this sample work using HttpWebRequest.CookieContainer. Here is what you need to do.

    Instead of getting into cookie parsing, lets read the cookie returned in the response using HttpWebResponse.Cookies instead of reading Set-Cookie header. This property is not valid if CookieContainer property of HttpWebRequest object which was used was null. So after each WebRequest.Create calls, add the following.

    request.CookieContainer = new CookieContainer();

    Here is how you get CookieCollection from HttpWebResponse.
    trace.WriteLine("Location header is " + locationHeader);
    CookieCollection cookies = response.Cookies;

    Below is how you can add Cookies to HttpWebRequest.

    //request.Headers.Add(HttpRequestHeader.Cookie, cookie);
    request.CookieContainer = new CookieContainer();
    foreach (Cookie oneCookie in cookies)

    With these changes, sample should work just fine.


  • I had the same problem as Dale Sides (using the original script).
    However the solution of using CookieCollection just work fine
    Thank you very much

  • Great article, helped alot. Thanks!

    NOTE, however: Be sure to call "response.Close()" after you're done with each response!! Has to be done before calling the next "request.GetRequestStream()" or the request could (will) time out. (Works perfectly w/ localhost WS, was timing out on me hitting remote WS.) See


  • I have tried it on an site and it works! Thanks. But I am not able to get data from a non site. Could you please post the code for this.

    Thanks in advance

  • Excellent post. Thanks for the code.
    CookieCollection fix worked for me.


  • I got the code working and thank you very much. I am getting the response stream from the secure page. I know need to display this page in a webBrowser control on a winform.
    I can get the page to display but link on the page will not work. I am passing the response stream to the webbrowser.documentstream property and stuffing the set cookie (from the post 302 return) in the webbrowser.document.cookie property.

    Still no luck, any help would be appreciated.

    Thank you very much, Yves

  • In my case, when I perform the HttpWebRequest with the specified MethodType="POST", the HttpWebResponse is OK as opposed to FOUND, which I believe is why the location header is null. Any thoughts as to why I would receive a 200 response as opposed to 302?

  • Just what I needed... anyway, just a question, i'm doing something like this, only, my website requires request headers only, and not actually post the username and password. could anyone please help me...

  • The last WebRequest keeps timing out. I have tried with and without using a CookieContainer, but have had no luck. Any thoughts as to how I can get a secure response as opposed to timing out?

  • Hi there,

    I was adapting this sample to fit my site's page and it worked with Visual Studio 2008 development environment.
    After I pointed the test to my development server which is an IIS 6.0 and there I started to get requests timeouts.

    I can still read my resulting page in Visual Studio 2008 test server without code modification, but IIS 6.0 times out.
    Any clue about this?

    Thanks in advance.

  • Is there any way to use this to get around windows authentication? I've got a login and password for the site but I'm trying to screen scrape a little of the data to automate a process and can not get around the NTFS style login.

  • Hi kanwaljeet
    Actually I am sending a report page as email in my application which is forms authentication.
    The originaluri is http:l//localhost/abc/xyz/report.aspx and the login url is http://localhost/abc/login.aspx
    In my application the user will get company.aspx page after login then he should select the company name from given dropdown,after selecting company only he will redirect to specified page.
    I tried your code,it is successfully loged in and redirected to company.aspx page.In aspx page the company selection will be the user choice ,so I could not pass the parameter to company.aspx can i do this,Please suggest me

  • Hi Kanwaljeet,
    Thanks for your reply,Here I am passing the company name with query string to each and every page except login and company pages.
    When I tried to send report with the help of your article it was sending company.aspx.
    my report url is like
    http://localhost/accountspackage/sixthadmin/management/repQuotation.aspx?Id=" & vno & "&Value=" & DecryptUserValue() & "&cp=" & ecCompany()
    In above link cp is company name.
    I tried a lot to make it success but I could't ,
    I struck here,Please help me

Comments have been disabled for this content.