hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Davis <j...@FlyingDiamond.com>
Subject Re: Redirect on authentication
Date Thu, 26 Feb 2009 07:09:50 GMT

Scripted logins are generally purposely hard to crack.  There is quite 
possibly hidden vars along with the user and pass, sometimes javascript 
modifies a post field before it's sent and also cookies are set that 
must be duplicated.

I have always found a packet analyzer helpful such as wireshark to get a 
clear understanding of how the login process looks when using a browser, 
then comparing that to what the packets look like with the httpclient app.

That should get you started in the right direction, if you look a little 


bo wrote:
> Hi
> I'm trying to do form-based authentication. Here's what happens according to
> the Firebug
> 1. Hit the URL (GET http://foo.com)
> 2. That gets response code 302 and gets redirected (GET
> http://foo.com/session/new) which brings a login form
> 3. Login form is POST with action="https://foo.com/session" and two fields
> uname and passwd
> 4. Submitting the form gets 302 (POST https://foo.com/session) and then GET
> http://foo.com/session/new which brings index page content
> I'm not clear if I need to follow both redirects and what is the best way to
> do it. Test code that I have follows
>         DefaultHttpClient client = new DefaultHttpClient();
>         HttpGet get = new HttpGet("http://foo.com/");
>         HttpResponse response = client.execute(get);
>         System.out.println(response.getStatusLine());
>         response.getEntity().consumeContent();
>         // do the form post, retain all the cookies
>         HttpPost post = new HttpPost("https://foo.com/session/new");
>         List <NameValuePair> nvps = new ArrayList <NameValuePair>();
>         nvps.add(new BasicNameValuePair("login", "dude@gmail.com"));
>         nvps.add(new BasicNameValuePair("password", "Foo"));
>         nvps.add(new BasicNameValuePair("commit", "Sign In")); // this is
> actually a submit button
>         post.setEntity(new UrlEncodedFormEntity(nvps, HTTP.UTF_8));
>         HttpResponse postresponse = client.execute(post);
>         ResponseHandler<String> handler = new BasicResponseHandler();
>         String body = handler.handleResponse(postresponse);
>         System.out.println(body);
>         // still prints out login form
> Thanks,
> Bob S.

To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

View raw message