commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc.Saeges...@apropos.com
Subject RE: HttpClient HTTP response problem
Date Wed, 24 Apr 2002 13:50:48 GMT
I've captured the entire EBay log-in sequence using Ethereal and a browser.
I see the same multiple 200 OK responses so it isn't HttpClient causing the
problem.  HttpClient just doesn't know what do with them.  I'll take a
deeper look when I get some time.

BTW, I noticed that EBay sends the username and password in cleartext inside
the posted data!  That's horrible, if they aren't going log in over an SSL
connection the least they could do is encrypt the password first.  Yahoo!
uses JavaScript on their login page to MD5 hash the password even though
they now go through an SSL connection for the actual login process.

Of course, you still can't login to Yahoo! using HttpClient because Yahoo!
*requires* the client to violate RFC 2616 by responding to a 302 redirected
POST with a new GET request intead of another POST.  Thats another to deal
with when I get some time.


Marc Saegesser 

> -----Original Message-----
> From: Rick Horowitz [mailto:rickhoro@yahoo.com]
> Sent: Wednesday, April 24, 2002 12:54 AM
> To: Jakarta Commons Developers List
> Subject: RE: HttpClient HTTP response problem
> 
> 
> Marc,
> 
> Thanks very much for addressing this problem. Any help
> you can provide figuring out why I'm seeing these
> extra sets of headers in the EBay http response would
> be greatly appreciated. Doesn't make sense to me
> either. If you can't figure this out...if you find the
> time to try the HTTP GET request with URL
> http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn8
> and let me know if I'm somehow misinterpreting what I
> see, I'd still very much appreciate your help.
> 
> Rick
> 
> 
> --- Marc.Saegesser@apropos.com wrote:
> > I just commited the fix for 8287.  We'll accept
> > 'secure' cookies over an
> > unsecure channel.  RFC 2109 seems to allow this as a
> > valid thing.  It also
> > seems to allow us (the client) some flexibility in
> > how we deal with 'secure'
> > cookies.  So, at least for now, we'll continue to
> > only *send* them out in
> > Cookie headers on secure connections.  This also
> > seems to be the behavior of
> > IIS.
> > 
> > I have no idea, right now, what the hell EBay is
> > doing sending multiple 200
> > OK responses to the GET request.  I'll investigate
> > this a little further and
> > let you know what I come up with.
> > 
> > 
> > Marc Saegesser 
> > 
> > > -----Original Message-----
> > > From: Rick Horowitz [mailto:rickhoro@yahoo.com]
> > > Sent: Tuesday, April 23, 2002 12:42 PM
> > > To: commons-dev@jakarta.apache.org
> > > Subject: HttpClient HTTP response problem
> > > 
> > > 
> > > I'm using HttpClient obtained from CVS a few days
> > ago.
> > >  I'm trying to get the EBay login page, which I
> > can
> > > GET from my browser via URL:
> > > 
> > >  
> > http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn8
> > > 
> > > With HTTPClient, I'm using: 
> > > 
> > >   GetMethod method = 
> > >       new                                         
> >    
> > >    GetMethod("/aw-cgi/eBayISAPI.dll?SignIn");
> > >   method.setQueryString("SignIn");
> > > 
> > > I'm able to correctly receive the HTTP response
> > body,
> > > but am having a problem with the HTTP headers in
> > the
> > > response, as follows:
> > > 
> > > 1. EBay sends several cookies, 2 of which contain
> > the
> > > "secure" parameter. This causes an exception in
> > > HttpClient because this is not an SSL connection,
> > > causing all cookies to be rejected by HttpClient.
> > I
> > > voted for bug 8287, which I believe addresses this
> > > problem, but no fix as yet, if I'm not mistaken.
> > > 
> > > 2. In HttpMethodBase.readResponseHeaders(), the
> > > following confusing (at least to me) series of
> > HTTP
> > > headers is read by HttpClient when receiving the
> > HTTP
> > > response message:
> > > 
> > > Server: Microsoft-IIS/4.0
> > > Date: Tue, 23 Apr 2002 15:42:50 GMT
> > > Connection: close
> > > Set-Cookie:
> > >
> >
> s=AAAEAAAASAAAARQAAAPqAxTx6u848QDY1LjkxLjIyMS4xMmUxdGVzdENvb2t
> > >
> >
> pZSAkMiRKYWthcnRhICRzbllBam9OL3RyN2JLbk9jSW9jcUEuAA**l;
> > > path=/; domain=.ebay.com
> > > Set-Cookie: secure_ticket=n; path=/;
> > domain=.ebay.com;
> > > secure
> > > Set-Cookie: secure_ticket_l2=n; path=/;
> > > domain=.ebay.com; secure
> > > HTTP/1.1 200 OK
> > > Server: Microsoft-IIS/4.0
> > > Date: Tue, 23 Apr 2002 15:42:50 GMT
> > > Connection: close
> > > Set-Cookie:
> > >
> >
> s=AAAEAAAASAAAARQAAAPqAxTx6u848QDY1LjkxLjIyMS4xMmUxdGVzdENvb2t
> > >
> >
> pZSAkMiRKYWthcnRhICRzbllBam9OL3RyN2JLbk9jSW9jcUEuAA**l;
> > > path=/; domain=.ebay.com
> > > HTTP/1.1 200 OK
> > > Server: Microsoft-IIS/4.0
> > > Date: Tue, 23 Apr 2002 15:42:50 GMT
> > > Connection: close
> > > 
> > > Note: the status line is sent by EBay 3 times (the
> > > first one doesn't appear in this list because it
> > is
> > > processed previously by readStatusLine()). Also,
> > > related, is that the headers are repeated after
> > the
> > > status line is resent. Anyone know what's going on
> > > here?
> > > 
> > > I modified the HttpClient code locally to ignore
> > the
> > > additional status lines - clearly there's a
> > problem
> > > here, but I don't know enough about HTTP to figure
> > it
> > > out.
> > > 
> > > Thanks very much in advance for any help. BTW, I
> > like
> > > the product very much in general, although a short
> > > HOW-TO would be useful. Kudos to the authors, and
> > my
> > > thanks for your efforts.
> > > 
> > > Rick 
> > > 
> > > 
> > > 
> > > 
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Games - play chess, backgammon, pool and
> > more
> > > http://games.yahoo.com/
> > > 
> > > --
> > > To unsubscribe, e-mail:   
> > >
> > <mailto:commons-dev-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail: 
> > > <mailto:commons-dev-help@jakarta.apache.org>
> > > 
> > 
> > --
> > To unsubscribe, e-mail:  
> > <mailto:commons-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:commons-dev-help@jakarta.apache.org>
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
> 
> --
> To unsubscribe, e-mail:   
<mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:commons-dev-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-dev-help@jakarta.apache.org>


Mime
View raw message