trying to auto login to an https site

[etrin]

I was trying this but I get no input into our web site but I don't know if I am doing something wrong or its a secure site and won't allow this to work.
I am not expert on html and this is what some people said might work.
ok it opens the page and just sits there.

can anyone tell me what I need to do to get it to work?
when I run this its sitting with focus on Username but it passes nothing to the page.

<html>
<head>
<script>
<!--
function login() {
document.form1.action="https://base.uams.edu/redcap/";
document.form1.submit();
}
//-->
</script>
</HEAD>
<BODY onLoad="login()">

<form NAME="form1" id=form1 method="POST" >

<input type=hidden name="username" value="YOUR USER NAME GOES HERE">
<input type=hidden name="password" value="YOUR PASSWORD GOES HERE">
</form>
</body>
</html>

 

[nickbits]

Are you sure you have all the parameters?
The site might also be doing something with cookies.
You might havecthe wrong action URL. I doubt the form posts to a directory.
Check out the traffic in a http monitor like fiddler2.

 

[nickbits]

I can try to get something working tomorrow if you are still stuck. PM me tomorrow if interested.

 

[Leros]

It looks like they might injecting a token into the form when it's being submitted (probably to prevent people from doing stuff like you're trying to do).

When I submit the form I get the following params sent to the server.
username:test
password:test
redcap_login_a38us_09i85:
submitted:1

I suspect the third one is some kind of unique token that has to match something to make the form submission valid. Might be something else, I didn't really look into it too much.

 

[etrin]

I saw that too..trying fiddler for the first time LOL

I logged in manually and saw
username:test
password:test
redcap_login_a38us_something my cut and paste didn't work
submitted:1

is the submitted generated when you hit the button?
(can fiddler show login in real time? all I could do is attempt it and then go look at the results.)
when I ran a script all I see is
username:test
password:test

the cursor is still in the username field and its highlighted.
at first I thought ok I can just hit the submit button and done.
When I did it sit there for a while then said invalid username or password.
the same action as when you just go to the page and hit submit with no username and password entered.

there are 3 of us who have to go to this page 20+ times a day and this gets old.
And of course the IT folks won't up the timeout on the users.

ps can the timeout be set by user or just for everyone?

 

[KB]

Have you tried to put the action link in the form tag?

<form NAME="form1" id=form1 action="https://base.uams.edu/redcap/" method="POST" >

Its very likely that browser security does not let you do what you are trying to do.
Are you running on windows? If so you might try vbscript to automate it.

http://stackoverflow.com/questions/16441179/vbscript-for-automated-website-login-testing

 

[Crusty]

This is by design.

They are preventing all sorts of attacks by not allowing you to submit their forms from a 3rd party site.

What you are trying to do is akin to setting up a phishing site or writing a CSRF exploit.

 

[Train]

^^ This. CSRF prevention.

Look into using AutoHotKey or some other macro/scripting app.

Should be pretty easy to tie a global hotkey to a macro that fills in two boxes and clicks the submit button.

 

[Markbnj]

It's not even really CSRF protection, imo. It's just simple cross-domain request authorization, which happens in lots of cases that don't involve any forgery. The server would have to be configured to allow requests from the OP's domain, or as is the case with public APIs, all domains.

 

[Markbnj]

Are you sure you have all the parameters?
The site might also be doing something with cookies.
You might havecthe wrong action URL. I doubt the form posts to a directory.
Check out the traffic in a http monitor like fiddler2.

URLs have really ceased being representative of file system structure. This is likely a REST endpoint (I use the term REST very inclusively).

 

[nickbits]

URLs have really ceased being representative of file system structure. This is likely a REST endpoint (I use the term REST very inclusively).

Still, most end points do not end in /.

It is correct this time but I was on my phone and couldn't check the html.

 

[Train]

there are 3 of us who have to go to this page 20+ times a day and this gets old.
And of course the IT folks won't up the timeout on the users.

How long is the timeout?

You could also use a page-refresh plugin to keep your session current through the day.

 

[beginner99]

Can't you just save the login data with the standard browser password manager?

 

[etrin]

tried the page-refresh plugin idea and its doing what I need.
Using refresh plus for chrome and its great.
they have it set for 15 minute time out, hell we are getting logged all day but not now.


thanks to everyone for all your help and ideas.

I log in once and stay up all day.

quick question they said the only way to up limits before time out is to set it for everyone.
Shouldn't they be able to do it by group or individual?