>> there might be hidden input fields, [...] > Ah - I think I may have spotted something. The actual <form> tag at > the start contains an 'authenticity token':
[reformatted for readability] > <form class="new_user" id="new_user" action="/users/login" > accept-charset="UTF-8" method="post"> > <input name="utf8" type="hidden" value="✓"/> > <input type="hidden" name="authenticity_token" > value="VfGGu3jwjsf6xNQmlmuu3Qkgc1BsZzgu0ikhluwqmVHU9RFVQQUUANuaza9HFgXr_c71SiKwBLz8XA8bQ4hSOA"/> > > [...] > </form> There's also that "utf8" field. Amusingly, U+2713, from the Dingbats range, is CHECK MARK. Of course, who knows what the server would do if that field weren't there or had a different value, such as maybe U+2718 (an X mark, called HEAVY BALLOT X) or U+00AC (NOT SIGN).... > And this value is different for every copy of the page served, which > presumably means that it is, by design, impossible for anyone to log > in 'blind' with user name and password alone.... Likely. Quite possibly done as a defense against automated password-guessing bots. Unfortunately, with the current state of Internet governance, such defenses are close to essential. The token looks like URL-safe base64. Decoding it under that assumption produces random-looking binary data, so I suspect it is (as should be) being done with proper crypto. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ netsurf-users mailing list -- netsurf-users@netsurf-browser.org To unsubscribe send an email to netsurf-users-le...@netsurf-browser.org
