Re: Redirect on authentication

Wed, 25 Feb 2009 22:59:33 -0800 

Hi,
Scripted logins are generally purposely hard to crack. There is quite possibly hidden vars along with the user and pass, sometimes javascript modifies a post field before it's sent and also cookies are set that must be duplicated. 


I have always found a packet analyzer helpful such as wireshark to get a 
clear understanding of how the login process looks when using a browser, 
then comparing that to what the packets look like with the httpclient app.



That should get you started in the right direction, if you look a little 
deeper.


Jeff




bo wrote:

Hi

I'm trying to do form-based authentication. Here's what happens according to
the Firebug

1. Hit the URL (GET http://foo.com)
2. That gets response code 302 and gets redirected (GET
http://foo.com/session/new) which brings a login form
3. Login form is POST with action="https://foo.com/session"; and two fields
uname and passwd
4. Submitting the form gets 302 (POST https://foo.com/session) and then GET
http://foo.com/session/new which brings index page content

I'm not clear if I need to follow both redirects and what is the best way to
do it. Test code that I have follows

        DefaultHttpClient client = new DefaultHttpClient();
        HttpGet get = new HttpGet("http://foo.com/";);
        HttpResponse response = client.execute(get);
        System.out.println(response.getStatusLine());
        response.getEntity().consumeContent();
        // do the form post, retain all the cookies
        HttpPost post = new HttpPost("https://foo.com/session/new";);
        List <NameValuePair> nvps = new ArrayList <NameValuePair>();
        nvps.add(new BasicNameValuePair("login", "[email protected]"));
        nvps.add(new BasicNameValuePair("password", "Foo"));
        nvps.add(new BasicNameValuePair("commit", "Sign In")); // this is
actually a submit button
        post.setEntity(new UrlEncodedFormEntity(nvps, HTTP.UTF_8));
        HttpResponse postresponse = client.execute(post);
        ResponseHandler<String> handler = new BasicResponseHandler();
        String body = handler.handleResponse(postresponse);
        System.out.println(body);
        // still prints out login form

Thanks,

Bob S.


  



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to