Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASP.NET_SessionId #14

Closed
vava456 opened this issue Oct 12, 2020 · 6 comments
Closed

ASP.NET_SessionId #14

vava456 opened this issue Oct 12, 2020 · 6 comments
Labels
question Further information is requested

Comments

@vava456
Copy link

vava456 commented Oct 12, 2020

Hi, its not an issue with the project, i was just wondering how do you bypass the ASP.NET_SessionId. Doing an api for a project i'm stuck on this, it expire and change and i don't know how you got away with this, because you use only __RequestVerificationToken and a post request need more information.
@kookehs
Copy link
Owner

kookehs commented Oct 13, 2020
edited
Loading

how do you bypass the ASP.NET_SessionId

I don't believe it's required for a call to their backend. The __RequestVerificationToken found in cookies changes from time to time but not between requests, so I assume it's based off the ASP.NET_SessionId or some data that can identify a user.

it expire and change

While the session will expire, the tokens generated from the session and form are still valid and should not expire. I'm still using tokens from the beginning of this year. Keep in mind you'll have to use form tokens from the same session they were generated in. Both form and session tokens contain anti-XSRF token within and must match when extracted. Their customAjax function appends form fields to a hidden form with the __RequestVerificationToken for the form already filled. The HTTP client will handle the cookies so backend will get the session token as well, then it's validating the tokens on their end. More on token validation.

@vava456
Copy link
Author

vava456 commented Oct 13, 2020

Thanks for the quick response,
I know the token doesn't expire often it stay the same but the asp.net_sessionid does and i can't make a request without it.
Let me be more clear, I'm making a post request on GetWorldMarketSubList for instance here is the most important part of my request in c# :
I send a POST request to : http://marketweb-eu.blackdesertonline.com/Home/GetWorldMarketSubList

request.Headers.TryAddWithoutValidation("Cookie", "ASP.NET_SessionId=asp_sess; __RequestVerificationToken=token");
request.Content = new StringContent("__RequestVerificationToken=cookie&mainKey=12031");

If i don't mention the asp.net_sessionid i get the following error : {"resultCode":2000,"resultMsg":"TRADE_MARKET_ERROR_MSG_UNAUTHORIZED","redirectUrl":"https://account.playkakaogames.com/oauth/blackdesert/authorize?client_id=bdo_central_market_web-eu-live\u0026response_type=code"}
I have to update very often the asp.net_sessionid for it to work so i don't understand how you do it, can you send me the type of request you are sending for it to work, like curl bash request for example.

I really appreciate your time and effort to help me.

@kookehs
Copy link
Owner

kookehs commented Oct 13, 2020

request.Headers.TryAddWithoutValidation("Cookie", "ASP.NET_SessionId=asp_sess; __RequestVerificationToken=token");
request.Content = new StringContent("__RequestVerificationToken=cookie&mainKey=12031");

If there's complete minimal code to reproduce I could look into it more.

curl --location --request POST 'https://marketweb-eu.blackdesertonline.com/Home/GetWorldMarketSubList' \
--header 'Cookie: __RequestVerificationToken=<TOKEN>' \
--header 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36' \
--form '__RequestVerificationToken=<TOKEN>' \
--form 'mainKey=5804' \
--form 'usingCleint=0'

@vava456
Copy link
Author

vava456 commented Oct 13, 2020

Hi, thanks for the reply
I have just tried your request and it doesn't work i have the same error :

{"resultCode":2000,"resultMsg":"TRADE_MARKET_ERROR_MSG_UNAUTHORIZED","redirectUrl":"https://account.playkakaogames.com/oauth/blackdesert/authorize?client_id=bdo_central_market_web-eu-live\u0026response_type=code"}

When i don't mention asp.net_sessionid i always get this error when i mention it everything works.
Can you send me a curl that work on https://reqbin.com/curl where it return sublist info if you don't mind because i can't find a way to get around it.

Thank you by advance.

@kookehs
Copy link
Owner

kookehs commented Oct 13, 2020

{"resultCode":2000,"resultMsg":"TRADE_MARKET_ERROR_MSG_UNAUTHORIZED","redirectUrl":"https://account.playkakaogames.com/oauth/blackdesert/authorize?client_id=bdo_central_market_web-eu-live\u0026response_type=code"}

I haven't seen this response before. I'm wondering if the backend is different for EU? I don't have an EU account to test with so can't confirm, but I don't imagine it would be different. Usually when credentials, headers, or form data is incorrect it returns a 404 page.

Can you send me a curl that work on https://reqbin.com/curl

The above tool doesn't support form data.
Tested it here and it works. https://repl.it/repls/PrevailingHotpinkCodewarrior#main.sh

@kookehs kookehs added the question Further information is requested label Oct 13, 2020
@vava456
Copy link
Author

vava456 commented Oct 14, 2020

Thanks, i have fixed my problem thanks to you.
The issue was this curl option : "-H 'X-Requested-With: XMLHttpRequest' " this was forcing ajax request and needed me to specify asp.net_sessionid removing it fixed everything.
Thanks for your time!

@kookehs kookehs closed this as completed Oct 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vava456 @kookehs