How to enable cookies for a pseudo-browser in Delphi? - delphi

I was testing an app from Marco Cantu's Delphi 2009 Handbook. This app, called AnonAjax (page 200), has some interesting features to recognize certain elements from a Web page and list them. This app uses anonymous methods with an internal Indy HTTP client component used to access to a given URL. As part of this app's functionality, it loads the first image listed. That's great, but with a Web page using cookies it does not load the image properly. I've tried with AllowCookies=true but it does not work. How can I enable cookies for this app?

you can attach a cookie manager (indy component) to the indy http client component.

Indy 10's cookie management is currently undergoing a major rewrite to address many issues that it has. It is likely that you are encountering a situation where the version of Indy you are using is either rejecting the server's cookies incorrectly, or is not sending them back to the server correctly. Unfortunately, I do not have an exact ETA as to when the new cookie management code will be ready for public use, but it is very close, possibly by the end of this month if time permits.

Related

Delphi TWebBrowser keep getting CloudFare page

When I use MS Edge, Firefox or Opera to access Cloudfare-protected webpages, it shows the page correctly. However, using TWebBrowser it always shows the Cloudfare captcha page first.
How do I configure Delphi TWebBrowser to act like a "real" web browser which does not invite the Cloudfare page?
Note that this is occasional access to the page, and yet it triggered the cloudfare when the other browsers do not trigger at that same point in time.
Not an real answer but some things i encountered with TWebBrowser on the "real" Internet.
The Sites i encountered needed different things.
Some needed a Header Information with specific Browsers.
Executing java script to read your system envronment for language (geoblocking)
Some need cookies obtained through cross site Scripting (Fraud protection)
and many other Things for various reasons.
So, for your Target Website you can sniff where your call beginns to differ from a working Browser. And then trying to reproduce the functionality for Your Application.
What you encounter is not a TWebBrowser Problem in itself. It is Browser Funtionality used to have Features like Geoblocking, Addblock detection or whatever. So you need to implement the missing Parts: Cookie Storage and/or Java Script.
The downside is: you only find one missing Part after the other. So when you start you dont know if you will hit a dead end. Doing "real Internet Sites" with TWebBrowser (based on IE 5.5) was not easy and that was around 2005 ... in the early easy days...
Optional: If you have an Invitation from the Site owner through an Api Key (or something similar for Authentification) it should work with the TWebBrowser. If all the "Protection" is not needed it worked on almost everyting.
I never found a solid working Solution, but changing the Header to be IE5.5, enabling the newer Mode(non legacy?) and Cookies + Script helped.
If possible try it with the new Edge Component or an embedded Chrome / Firefox / Opera.
In the End we used a microsoft IE COM Component and not the Delphi Component. But even then, not everything was working.

Protect against 3rd party callers of document.execCommand("ClearAuthenticationCache")? Clears our session cookies

We have a J2EE application (running on -cough- IE only) that uses JSESSIONID to manage session state between client and server. Some of our customers use a third-party web application (https://mdoffice.sentara.com/) in which the client Javascript onload method calls:
document.execCommand("ClearAuthenticationCache");
This smashes our JSESSIONID cookie in the browser and hence causes the the app server to see subsequent requests from our IE client window as an invalid or timed out session and the user gets kicked out. Our server is OAS/OC4J, but I doubt this it matters: The same basic behavior occurs if I hit the above URL while logged into my online banking.
In trying to research this, I found that most folks are interested in duplicating this behavior in non-IE browsers. I'm interested in how to protect against it. We verified that our session cookies are have domain scoping, but the above command doesn't seem to honor that. We have a lame work-around by which we launch IE with a -noframemerging argument. That's ugly, and also ends up messing with our logic that tries to limit the client to a single login.
I can't find much useful on MSDN, but this article (http://blogs.msdn.com/b/ieinternals/archive/2010/04/05/understanding-browser-session-lifetime.aspx) does make it clear that the above command "...clears session cookies ... for ALL sites running in the current session".
Does anyone know of either:
Obviously preferable: A way to protect our precious session cookies from ClearAuthenticationCache?
Vane hope: A less aggressive alternative to ClearAuthenticationCache that we might tell our customers to communicate to the 3rd party? (Of course, they'd have to do this with any 3rd party that causes this problem. Currently there's just the one.)
Thanks for any help!

Delphi XE2 Datasnap Session Management - get session information after page reload

I am trying to determine how to retrieve session information using a Delphi REST DataSnap server.
I know that, when on the same client page, you have access to the current thread session using the TDSSession method GetThreadSession.
What I want to do, however, is store data in the session (putData) and still be able to retrieve it when the user moves from page1 to page2. At present, if the user moves to a different page, the session is lost and a new one is created, thus loosing the data in the session that I had previously set.
I have tried playing with TDSSessionManager.SetThreadSession(sessionid) - but I cant seem to get it working.
I've reviewed the much acclaimed Marco Cantu white paper, however, it doesn't provide a solution to this issue.
Any help I can get on this would be great - even if its just 'hey, this topic is covered in book X'.
Thanks!
The TDSSessionManager.SetThreadSession(sessionid) works with Session.sessionname.
Plus make sure your Lifecycle is set to Session (as stated by tondrej).
If you reconnect your client. a new session is started. So you want to keep your Datasnap connection open.
Or you can set the lifecycle to Server and mannage the client-sessions yourself.
Edit: Rest Servers are Stateless. So you need to store the page you are on on the Client. And Query the needed Page from the Server
You have to tweak the client side JavaScript to use a cookie to store session info.
See the last part of JavaScript Client Sessions
If you want to keep server side objects active for the session use the Session life cycle.
I believe what you need to do is set LifeCycle property of your TDSServerClass instance to Session (stateful). From your question it seems you are currently using Invocation (stateless).
Well, in Datasnap REST (GET, POST, DELETE, PUT) if you set your TDSServerClass to session, as is a REST in this case session is the same as invocation, is stateless (http://docwiki.embarcadero.com/RADStudio/Tokyo/en/Server_Class_LifeCycle#REST_Clients). It is right, you give the oportunity to all kind of clients to use your datasnap server with JSONs for example.
You need to create your owner model to session control to your REST server, or look for some framework to do this. In my case I use custom objects on lifecicle server (some cases with database too), and using tokens on request headers and other informations, I know if is the same client and I control too when the token expires and need to do new login, for exemple and I can give much more security too as on PUT resquests, only on records gave to client (it is only one case, but there are much others...). You need to resolve other way, not with classic way using TDSSession.

How can I detect when user browses certain url?

I'm writing an application, which becomes "useful" once user is browsing certain url.
I want to add feature to my application, that it will be automatically launched once user browses this url, I was thinking of writing some sort of watchdog to trigger it.
My question is, whether there is a generic way to get notified when user browses to urls, I want to support at least IE and FireFox, chrome and safari is nice to have.
I read about DDE and WWW_RegisterURLEcho, but from what I understand it's not supported by FireFox, and also little sample I wrote didn't work with IE as well.
Thank you in advance
some more questions **
Do Url Monikers and Asynchronous Pluggable Protocols help me here ? Is it supported by FireFox ?
If you have control over the website, you could have it write a cookie to the computer. Then have your application monitor for that cookie.
You can implement this in many ways and at many different layers.
At the highest level, you could implement a browser plugin. There is no cross-browser solution at this layer that will let you write the code once and work for every browser. On the easy end of the spectrum, Firefox, you could implement it entirely as a Javascript + XUL plugin and use built-in XPCom interfaces (nsIProcess) for launching your helper process. For IE you would need to write a COM, C++ and win32 BHO that handles DWebBrowserEvents2::BeforeNavigate2. This is the hardest thing to do. There are mechanisms for Safari, Chrome and other webbrowsers that you could use to achieve this same behavior, with varying degrees of difficulty.
At the next level you could implement an HTTP proxy, similar to Fiddler2, that redirects all HTTP traffic through your local proxy first. Each browser has a different way of configuring its proxy settings, but they're all basically registry settings or config files.
At the most basic level you could just snif all IP traffic going out of the machine, similar to the way Wireshark does it, and just look for http requests to your URL. This is probably more difficult to code, but would work for all browsers without any special per-browser configuration stuff going on. You may need to write a driver. I dunno, I've never done work at this level in the stack.

What does Indy's HandleRedirect do?

I'm having some trouble reading files with Indy from a site that has WordPress installed.
It appears that the site is configured to redirect all hits to sitename/com/wordpress.
Can I use HandleRedirect to turn that off so I can read files from the root folder?
What is the normal setting for this property? Any downsides to using it for this purpose?
(Edit: it appears that my problem may be caused by Windows cacheing of a file I've accessed before through Indy. I'm using fIDHTTP.Request.CacheControl := 'no-cache'; is that adequate?
When the server sends a 3xx result for a request, the HandleRedirects property controls whether Indy will immediately turn around and issue a new request using the new location. The alternative is that Indy will return the response code to your program. You're welcome to handle it yourself with the OnRedirect event, but if the server bothers to send anything in addition to the response code, it's unlikely to be of much use to your program. It's not as though there are hidden files that the redirection is preventing you from downloading. Set the property to true and let Indy take care of the redirection for you.
It's probably not the case that Windows is caching anything for your program. Indy doesn't use the OS cache. The Cache-Control header is an instruction to a proxy or the so-called origin server that it should not satisfy your request using a cached response without validating it with the origin server. Maybe WordPress has a cache of its own that you're by-passing.

Resources