Javascript form POST to website does not recognize my session - javascript

Using JavaScript I would like to automate the submission of data via a form POST to a website that requires a login. Using a browser, I am able to login to this site and create a session. On another tab of the same browser, I would like to open up a second tab on the same browser and load the page where my JavaScript resides and allow the JavaScript code to interact with the website session I created on the first tab so the data being posted is admitted as the session I am logged on from the first tab.
The purpose of this is to automate the posting of data to this website that requires login.
I have the JS that does my form POST automation. However the issue I am encountering is that the JS fails to post to the website because it does not seem to detect or use the session information from the previous tab and therefore thinks I am not logged in.
In short, how can I allow the Javascript http request running in one tab of my browser interact and take advantage of a session I have created with another website I have logged in in another tab of the same browser?

It turns out that i needed to add the withCredentials property to the xmlHttpRequest. Doing this allowed me to impersonate the cookies i already had set on the other tab.

Related

Detect clearing browser cookies in MVC 5

I have searched this for long time, unfortunately I couldn't find a helpful answer. when a user accessing my asp.net mvc 5 application and do a clear cookies from his browser, how can I detect that the cookies has been flushed and sign out the user without refreshing the page?
I have noticed this feature in Gmail. it automatically detects cookies flushing and redirect you to the login page.
Any thoughts?
Almost every login pipeline use cookie.
Usually you store some sort of userHash or even loginToken in cookies on login action.
So you don't detect that cookies flushed. You just check cookie exists on every request and if not - you redirect user.

How to start a valid user session inside an iframe

I need to setup a Master Site that would embed Site 1 and Site 2 in iframes, login and start user sessions within them.
Site 1 (RoR) and Site 2 (unknown framework) has got their own authentication (username, pass, cookies, usual framework security).
Master Site (PHP) server has direct access to Site 1 database and I know the password hashing algorithm so I can validate Master Site's login password against Site 1. Site 2 can get their passwords to be changed accordingly if needed, but no access to db nor framework.
I cannot change anything in either Site 1 or Site 2, unfortunately. I can only build around it though full read access to Site 1 is present.
I've sketched a quick diagram to better show what I mean/need:
a busy cat http://gettaxi.me/public_img/help.png
I need to start a user session inside an iframe. The login credentials of Site 1 are identical to Master Site's as they come from the same db, credentials for Site 2 will be assumed same (might just show login failed if they're not).
Idea list so far:
I could record the login credentials into Master Site cookie and use it to populate the iframe fields. Maybe store an encrypted version and decrypt when needed? But still, storing a password in cookies (even encrypted) seems absurd.
Same as above but store it in Master Site session variable.
The idea of cross-domain cookies seem useless here because every site has to set it's own session cookies, one website can't set it for another...
I've never dealt with anything cross-domain like this so before. So before I go and start coding things like a mad man that might or might not work - I turn to you for help and advice! How would you go about accomplishing this? Is this possible at all?
Additional questions:
Do cookies set by Site 1 and 2 from within iframes behave the same? Are they persistent and if I'd open the same website NOT in an iframe later, would they be accepted?
If storing credentials (cookies/session) is the only way to go: how would I then populate the login fields in an iframe and submit the form? Javascipt? Some neat GET/POST/redirection trick?
Thanks in advance!
Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.
User logs in to Master Site
Validate credentials
Generate a random client token
Encrypt the password with that token and store the crypto in a session variable
Set a cookie and store that token in users browser
jQuery actions when Link to Site 1 or 2 is clicked:
Send an ajax request to server with that token
Validate user session and decrypt stored password on success
Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
Submit that form with target="iframe"
Clear those form pre-filled form fields
Vuala, a working cross-domain iframe auto-login...
Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.
Update:
Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.
Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon

Automatic login to website, which is using ASP.NET

I'm need to automatically perform the login at: http://gsc.klub-modul.dk/. After I am logged in, I need to able to fetch pages from this domain, which requires me to be logged in. As far as I have gathered, the site is using ASP.NET to interact with the server. I am open to all suggestions. I'm looking for a script to do this, as I am still new to this.
What you are trying to do is botting (Automated access of site or online game),so follow these steps,
Generic steps
Monitor the HTTP request being made by the browser (I use
Fiddler,you might also find browser built-in network tool(press F12) handy)
You need to look for cookies especially.
In short you should be able to make same HTTPRequest on each event
(by event I mean first time page request ,page submit for login and
etc)
Use python for botting
use these libraries Mecanize / twill /scrapy / Beautiful Soup
Tutorials to get started
http://docs.python-guide.org/en/latest/scenarios/scrape/
http://www.pythonforbeginners.com/python-on-the-web/web-scraping-with-beautifulsoup/
http://arunrocks.com/easy-practical-web-scraping-in-python/
https://classic.scraperwiki.com/docs/python/python_intro_tutorial/
Stackoverflow links
Scraping sites that require login with Python
Scrape a web page that requires they give you a session cookie first
Fake a cookie to scrape a site in python
Python Scraping Web with Session Cookie
My Advice
I think if you haven't made a web scraper (web-bot or bot-tool) before than you should start with small things like fetching a specific information from a page which doesn't require login then move on to more complex scenarios
As usual Asp.Net uses cookies for session, authorization needs. So basically you just need to make POST request to login page with Login, Password parameters, then you need to obtain cookies from response, and then make new requests for needed pages with these cookies.
By default these cookies are named ASP.NET_SessionId and ASPXAUTH
I have worked on a similar problem but used a generic approach. I used greasemonkey addon in firefox to login on a game and save data on different db. Later I found out that I could've wrote a addon myself (mozilla ref)
Both of these technique will rely on javascript only.(example of a login script of fb in greasemonkey)
The website was on asp.net too! You just need to receive the cookies and login from javascript code. Jsoup is another approach to parse data and login.

Check if user Likes Page with JS API?

I know this has been asked a bunch of times, but I have only seen serverside solutions.
I'm running an iframe app that is embedded into a page as a tab. I want be test to see if the page is liked or not without prompting the user for anything.
Is there a way to do this with just JavaScript? The platoform we are building on is ASPX and I dont really have the option of going serverside.
Its not available because you need to inspect the http post parameter called signed_request and this isn't available on the client side. If the user has authenticated with your app and given you permissions to read their likes/interests, then you could then check with javascript api but I'm guessing you wouldn't want to make them approve your app just for this.

How can I automatically answer a password prompt from an embedded item in an (X)HTML page?

I wrote a web page that displays images from several servers on my network via simple img tags with appropriate href values. The servers require authentication before they will send the images.
It works alright, except on first load the page presents the user with a series of password prompts (one for each server). The user can select the "Remember my password" checkbox, and then subsequent refreshes of the page work without prompting, with correctly updated images. That is, until someone closes out the browser, after which a new set of prompts awaits anyone who opens the page again.
All of the credentials needed are known beforehand, and I don't care if someone could read them in the page source, since this page is in a protected part of an internal intranet site. Everyone with access to this page knows the passwords anyway.
The only browser we're allowed to use is IE 7, so I don't care about compatibility with other browsers at the moment.
Is there any way I can use JavaScript (or some other client-side code) to automatically answer those prompts so the user never sees them?
Thanks very much, in advance.
You can include the authentication in the URL:
<img src="http://paulfisher:tastybacon#internalwebs/path/to/image.png">
Where, of course, paulfisher is my username and my password is tastybacon.
No, javascript can't do this. Here are a couple of options that I've used before to solve this problem:
Change the authentication on the other servers to be either anonymous or integrated.
Proxy in the images: On the server serving the page, add another page that takes in the URL of the remote server. This new page makes a webrequest to the other server and streams the image back. The webrequest can plug in the correct credentials.
Depending on the servers' DNS names, it might be possible to share an authentication cookie across all of the servers. Then you could set up some kind of module on all of the servers to allow the shared authentication.

Categories

Resources