I have a situation where I'm trying to log into my bank's website which uses HTTPS form-based authentication. I've tried posting the appropriate username/password to the appropriate URL, but the server is not authenticating me (keeps forwarding me to some generic error page). I've considered several potential issues causing this failure, but am not quite sure what to do:
1. The website expects/requires you to go to the initial HTTPS protected login form page. Potentially the site sets a cookie at that first page and validates on form submission that the cookie is present. I've experimented trying to get past (if it indeed is happening) by setting the cookie policy on an HttpClient to BROWSER_COMPATIBLE, using that HttpClient to execute a GetMethod to the login form page, then using the same HttpClient to execute a PostMethod submitting the right username/password. That didn't work. Did the steps I executed make for an appropriate test? Is there a way I can confirm what cookie policy I should be using? 2. I thought I heard/read a while back that to securely post data to an HTTPS url, you need to initially come from an HTTPS URL as well. Is this true? If so, is using the same HttpClient instance to execute all GetMethods & PostMethods sufficient? 3. Is there any debugging techniques (examining header values, cookies, etc) I can do to verify what exactly is causing my inability to login? John M. Corro (414) 524-7118
