Wpf – Persistent cookies in WPF WebBrowser control

browsercookieswpfwpf-controls

I'm using the WPF WebBrowser to display online help inside an app (just a few small web pages). Some of those pages use cookies to display items only for the first few times the pages are viewed (it's a "Why not try X" type of thing).

However, for some reason the cookies don't seem to be working inside the WebBrowser control. They work fine in full IE as well as Firefox and Chrome (so the items correctly hide), but they never hide when viewed through the WPF WebBrowser control.

Is there something special about using cookies in the WPF WebBrowser control? It seems to be behaving as if all the cookies are only stored in memory, rather than being persisted on disk.

Here's one of those pages inside a browser (where the cookies work):

Help pane inside a browser

And here's the exact same page inside the app:

Help pane inside the application

That additional content should only be visible for the first few times of using the software (i.e. it should be hidden after N views of that web page), but because I can't get cookies to work it's always visible.

Best Answer

Cookies handling in Internet Explorer (or hosted versions) is tied to the IE's own notion of "URL Security Zones", doc here: About URL security Zones

So, IE determines an url zone using various alogorithms applied to the url. Depending on the zone, your hosted browser may or may not support session or persistent cookies.

Strangely, when I create a small WPF sample, add the web browser to it and have navigate to this persistent cookie tester utiliy page: http://www.rbaworld.com/Security/Computers/Cookies/givecook.shtml, it works fine. Each time I launch the sample app, the counter is incremented fine, so not everyone can reproduce your problem. Well, that's the whole purpose of URL Security zones: it can vary by machine, by user, by Windows policy, etc...

The next question is: Can I change the zone you're running in? The short and easy answer is ... no because it's heavily tied to the security.

If you were hosting IE yourself, you could implement your own security zone handle as described here: Implementing a Custom Security Manager and a sample here: SAMPLE: Secumgr.exe Overrides Security Manager for WebBrowser Host but you're relying on WPF's webbrowser that does not allow any override... You can get to Reflector and copy all WPF private/internal code but that's a log of risky work!

The last thing you can try is to manipulate the standard Internet Security Manager. Here is some sample code that gives some hints. At least you should be able to determine the zone you're running in (MapUrltoZone) and change the cookie (TryAllowCookie). The problem with the standard manager is most of the times, it pops up dialog to the end-user allowing authorization... (security again!):

[ComImport, Guid("7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4")]
private class InternetSecurityManager
{
}

[ComImport, InterfaceType(ComInterfaceType.InterfaceIsIUnknown), Guid("79eac9ee-baf9-11ce-8c82-00aa004ba90b")]
private interface IInternetSecurityManager
{
    void Unused1();
    void Unused2();
    [PreserveSig]
    int MapUrlToZone([In, MarshalAs(UnmanagedType.BStr)] string pwszUrl, out int pdwZone, [In] int dwFlags);
    void Unused3();
    [PreserveSig]
    int ProcessUrlAction(string pwszUrl, int dwAction, ref int pPolicy, int cbPolicy, ref Guid pContext, int cbContext, int dwFlags, int dwReserved);
    // left undefined
}

public static SecurityZone MapUrlToZone(Uri uri)
{
    IInternetSecurityManager securityManager = (IInternetSecurityManager)new InternetSecurityManager();
    int zoneId;
    if (securityManager.MapUrlToZone(uri.ToString(), out zoneId, 0) < 0)
        return SecurityZone.NoZone;

    return (SecurityZone)zoneId;
}

private const int URLACTION_COOKIES = 0x00001A02;
private const int URLACTION_COOKIES_ENABLED = 0x00001A10;
private const int URLPOLICY_ALLOW = 0x00;
private const int URLPOLICY_DISALLOW = 0x03;
private const int PUAF_DEFAULT = 0x00000000;

public static bool TryAllowCookies(Uri uri)
{
    IInternetSecurityManager securityManager = (IInternetSecurityManager)new InternetSecurityManager();
    int policy = 0;
    Guid context = Guid.Empty;
    int hr = securityManager.ProcessUrlAction(uri.ToString(), URLACTION_COOKIES_ENABLED, ref policy, Marshal.SizeOf(policy), ref context, Marshal.SizeOf(context), PUAF_DEFAULT, 0);
    return (hr == 0) && policy == URLPOLICY_ALLOW;
}

Good luck :)

Related Solutions

Wpf – Changing “active content” security settings on WPF WebBrowser control

We eventually found a decent solution to this, although I still wish there were some sort of settings on the control itself. To load the documents, we just set browser.Source to be the following:

file://127.0.0.1/c$/path/to/the/file (where the path is an absolute path without C:\, for example, c$/Users/jschuster/mydocument.html)

For whatever reason, the control will display files referenced by a URL in that format without a warning.

R – WPF WebBrowser Cookies to be used in WebRequest

Update: After EricLaw posted his comment, here is a snippet of code you could use to get an HttpOnly cookie:

    [DllImport("wininet.dll", SetLastError = true)]
    private static extern bool InternetGetCookieEx(string pchURL, string pchCookieName,
                   StringBuilder pchCookieData, ref System.UInt32 pcchCookieData,
                   int dwFlags, IntPtr lpReserved);

    private int INTERNET_COOKIE_HTTPONLY = 0x00002000;

    public void GetCookie()
    {
        string url = "http://www.bing.com";
        string cookieName = "ASP.NET_SessionId";
        StringBuilder cookie = new StringBuilder();
        int size = 256;
        InternetGetCookieEx(url, cookieName, cookie, ref size,
                            INTERNET_COOKIE_HTTPONLY, null)
    }

The value would be stored in the StringBuilder "cookie"

A more detailed example can be found in this MSDN blog post.

The only other possible way to get cookies from the WebBrowser that I know of is to use the InternetGetCookie method as mentioned in this StackOverflow answer.

However, it's not possible to get HttpOnly cookies as they are unretrievable as a security feature in browsers. This helps to prevent cross-site scripting. This works the same in WinForms as it does in WPF. More information on HttpOnly cookies can be found in the Wikipedia HTTP Cookie article.

Best Answer

Related Solutions

Wpf – Changing “active content” security settings on WPF WebBrowser control

R – WPF WebBrowser Cookies to be used in WebRequest

Related Topic