trying to auto login to an https site

etrin

Senior member
Aug 10, 2001
692
5
81
I was trying this but I get no input into our web site but I don't know if I am doing something wrong or its a secure site and won't allow this to work.
I am not expert on html and this is what some people said might work.
ok it opens the page and just sits there.

can anyone tell me what I need to do to get it to work?
when I run this its sitting with focus on Username but it passes nothing to the page.

<html>
<head>
<script>
<!--
function login() {
document.form1.action="https://base.uams.edu/redcap/";
document.form1.submit();
}
//-->
</script>
</HEAD>
<BODY onLoad="login()">

<form NAME="form1" id=form1 method="POST" >

<input type=hidden name="username" value="YOUR USER NAME GOES HERE">
<input type=hidden name="password" value="YOUR PASSWORD GOES HERE">
</form>
</body>
</html>
 
Last edited:

nickbits

Diamond Member
Mar 10, 2008
4,122
1
81
Are you sure you have all the parameters?
The site might also be doing something with cookies.
You might havecthe wrong action URL. I doubt the form posts to a directory.
Check out the traffic in a http monitor like fiddler2.
 

nickbits

Diamond Member
Mar 10, 2008
4,122
1
81
I can try to get something working tomorrow if you are still stuck. PM me tomorrow if interested.
 

Leros

Lifer
Jul 11, 2004
21,867
7
81
It looks like they might injecting a token into the form when it's being submitted (probably to prevent people from doing stuff like you're trying to do).

When I submit the form I get the following params sent to the server.
username:test
password:test
redcap_login_a38us_09i85:
submitted:1

I suspect the third one is some kind of unique token that has to match something to make the form submission valid. Might be something else, I didn't really look into it too much.
 

etrin

Senior member
Aug 10, 2001
692
5
81
I saw that too..trying fiddler for the first time LOL

I logged in manually and saw
username:test
password:test
redcap_login_a38us_something my cut and paste didn't work
submitted:1

is the submitted generated when you hit the button?
(can fiddler show login in real time? all I could do is attempt it and then go look at the results.)
when I ran a script all I see is
username:test
password:test

the cursor is still in the username field and its highlighted.
at first I thought ok I can just hit the submit button and done.
When I did it sit there for a while then said invalid username or password.
the same action as when you just go to the page and hit submit with no username and password entered.

there are 3 of us who have to go to this page 20+ times a day and this gets old.
And of course the IT folks won't up the timeout on the users.

ps can the timeout be set by user or just for everyone?
 
Last edited:

Crusty

Lifer
Sep 30, 2001
12,684
2
81
This is by design.

They are preventing all sorts of attacks by not allowing you to submit their forms from a 3rd party site.

What you are trying to do is akin to setting up a phishing site or writing a CSRF exploit.
 

Train

Lifer
Jun 22, 2000
13,572
66
91
www.bing.com
^^ This. CSRF prevention.

Look into using AutoHotKey or some other macro/scripting app.

Should be pretty easy to tie a global hotkey to a macro that fills in two boxes and clicks the submit button.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
It's not even really CSRF protection, imo. It's just simple cross-domain request authorization, which happens in lots of cases that don't involve any forgery. The server would have to be configured to allow requests from the OP's domain, or as is the case with public APIs, all domains.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Are you sure you have all the parameters?
The site might also be doing something with cookies.
You might havecthe wrong action URL. I doubt the form posts to a directory.
Check out the traffic in a http monitor like fiddler2.

URLs have really ceased being representative of file system structure. This is likely a REST endpoint (I use the term REST very inclusively).
 

nickbits

Diamond Member
Mar 10, 2008
4,122
1
81
URLs have really ceased being representative of file system structure. This is likely a REST endpoint (I use the term REST very inclusively).

Still, most end points do not end in /.

It is correct this time but I was on my phone and couldn't check the html.
 

Train

Lifer
Jun 22, 2000
13,572
66
91
www.bing.com
there are 3 of us who have to go to this page 20+ times a day and this gets old.
And of course the IT folks won't up the timeout on the users.

How long is the timeout?

You could also use a page-refresh plugin to keep your session current through the day.
 

etrin

Senior member
Aug 10, 2001
692
5
81
tried the page-refresh plugin idea and its doing what I need.
Using refresh plus for chrome and its great.
they have it set for 15 minute time out, hell we are getting logged all day but not now.


thanks to everyone for all your help and ideas.

I log in once and stay up all day.

quick question they said the only way to up limits before time out is to set it for everyone.
Shouldn't they be able to do it by group or individual?
 
Last edited: