* * *

Author Topic: https login with Synapse or similar  (Read 690 times)

kapibara

  • Sr. Member
  • ****
  • Posts: 430
https login with Synapse or similar
« on: February 10, 2017, 06:46:16 pm »
I need to login with Synapse HTTPSend or similar to a webpage where I'm a customer, but don't manage. There is no redirect so it should actually be straightforward.

Three values:

j_username
j_password
url

Shouldnt the code below be enough? The result is: "status":"invalid","heading":"Wrong username or password. (substituted here of course)

Code: Pascal  [Select]
  1. WriteStrToStream(HTTPSend.Document, AnsiString('j_username=somename&j_password=somepass&url=https://www.avanza.se/start'));
  2.  
  3. HTTPSend.HTTPMethod('POST','https://www.avanza.se/ab/handlelogin');
  4.  

I have added "ssl_openssl" to the uses, because thats needed for https I read.

If someone knows how to do it with Indy or fphttpclient, thats also fine.
« Last Edit: February 10, 2017, 07:08:52 pm by kapibara »
Lazarus trunk / fpc 3.0 / Debian Stretch 64-bit

rvk

  • Hero Member
  • *****
  • Posts: 2387
Re: https login with Synapse or similar
« Reply #1 on: February 10, 2017, 07:14:25 pm »
You need to know how the server is expecting those three values.
Now you just pass them like they are on an URL-line (URLEncoded). That seldom works.

But maybe the server expects them in a JSon (the same as it answers).

Or maybe it expects them in the form of form-data (like http-page) with mime-type "multipart/form-data; boundary=xx".


Also, when you are able to login you probably also need to store the cookies/session variables because retrieving subsequent pages need them.


A small example I use in Delphi to convert the &-form to real form-date like a HTTP-form does:

Code: Pascal  [Select]
  1. { Converts field1=a&field2=b to proper form-data }
  2. procedure ConvertPostFields(var EncodedFields: string; var MimeType: string);
  3. var
  4.   Bound, s: string;
  5.   Ts: TStringList;
  6.   i: integer;
  7. begin
  8.   Bound := IntToHex(Random(MaxInt), 8) + '_Synapse_boundary';
  9.   Ts := TStringList.Create;
  10.   try
  11.     Ts.Delimiter := '&';
  12.     Ts.StrictDelimiter := true;
  13.     Ts.DelimitedText := EncodedFields;
  14.     s := '';
  15.     for i := 0 to Ts.Count - 1 do
  16.     begin
  17.       s := s + CRLF;
  18.       s := s + '--' + Bound + CRLF;
  19.       s := s + 'Content-Disposition: form-data; name="' + Ts.Names[i] + '"' + CRLF;
  20.       s := s + CRLF + Ts.ValueFromIndex[i];
  21.     end;
  22.     s := s + CRLF + '--' + Bound + '--' + CRLF;
  23.     MimeType := 'multipart/form-data; boundary=' + Bound;
  24.     EncodedFields := s;
  25.   finally
  26.       Ts.Free;
  27.   end;
  28. end;
  29.  
  30. ...
  31. Param := AnsiString('j_username=somename&j_password=somepass&url=https://www.avanza.se/start');
  32. ConvertPostFields(Param, Mime); // this converts the &-fields  to proper form-data
  33. WriteStrToStream(HTTPSend.Document, ansistring(Param));
  34. HTTPSend.MimeType := Mime;
  35. HTTPSend.HTTPMethod('POST','https://www.avanza.se/ab/handlelogin');
  36.  

kapibara

  • Sr. Member
  • ****
  • Posts: 430
Re: https login with Synapse or similar
« Reply #2 on: February 10, 2017, 08:02:27 pm »
Thanks. I went ahead and tried that code, but HTTPSend.HTTPMethod returned false. This is what the Param variable contained when it was sent:

Code: Pascal  [Select]
  1. #13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_username"'#13#10#13#10'somename'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_password"'#13#10#13#10'somepass'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="url"'#13#10#13#10'https://www.avanza.se/start'#13#10'--463F8555_Synapse_boundary--'#13#10

How do I find out if the site needs something more?
Lazarus trunk / fpc 3.0 / Debian Stretch 64-bit

rvk

  • Hero Member
  • *****
  • Posts: 2387
Re: https login with Synapse or similar
« Reply #3 on: February 10, 2017, 10:50:50 pm »
Yes, the source of the posted fields are
Code: [Select]
--463F8555_Synapse_boundary
Content-Disposition: form-data; name="j_username"

somename
--463F8555_Synapse_boundary
Content-Disposition: form-data; name="j_password"

somepass
--463F8555_Synapse_boundary
Content-Disposition: form-data; name="url"

https://www.avanza.se/start
--463F8555_Synapse_boundary--

But I had another look at that page and it probably can take the url-encoded form you used.

Did you set all the correct parameters (like mimetype) ?
Did you url-encode the url-parameter?
Is your username password correct?

Code: Pascal  [Select]
  1. WriteStrToStream(HTTPSend.Document, AnsiString('j_username=somename&j_password=somapass&url=https%3A%2F%2Fwww.avanza.se%2Fstart'));
  2. HTTPSend.MimeType := 'application/x-www-form-urlencoded';
  3. HTTPSend.HTTPMethod('POST','https://www.avanza.se/ab/handlelogin');

R0b0t1

  • Jr. Member
  • **
  • Posts: 72
Re: https login with Synapse or similar
« Reply #4 on: February 10, 2017, 10:55:34 pm »
Thanks. I went ahead and tried that code, but HTTPSend.HTTPMethod returned false. This is what the Param variable contained when it was sent:

Code: Pascal  [Select]
  1. #13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_username"'#13#10#13#10'somename'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_password"'#13#10#13#10'somepass'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="url"'#13#10#13#10'https://www.avanza.se/start'#13#10'--463F8555_Synapse_boundary--'#13#10

How do I find out if the site needs something more?

I would suggest capturing a successful login performed by your browser. The best tools for this might be in your browser already (Firefox Ctrl+Shift+Q, Network Monitor plugin for Chrome) but there is always WireShark. This will quickly get you all of the data rvk suggested you check.

It's also possible to look at the website's source if it doesn't document the login API, but it's possible to miss hidden form fields this way.

kapibara

  • Sr. Member
  • ****
  • Posts: 430
Re: https login with Synapse or similar
« Reply #5 on: February 11, 2017, 09:24:26 pm »
Just got a really bad flu :-( Will try this in a few days.
Lazarus trunk / fpc 3.0 / Debian Stretch 64-bit

Remy Lebeau

  • Full Member
  • ***
  • Posts: 183
    • Lebeau Software
Re: https login with Synapse or similar
« Reply #6 on: February 14, 2017, 12:01:27 am »
I would suggest capturing a successful login performed by your browser. The best tools for this might be in your browser already (Firefox Ctrl+Shift+Q, Network Monitor plugin for Chrome) but there is always WireShark.

Wireshark cannot decode HTTPS traffic unless you have the server's private key.  Fiddler can decode HTTPS, though.
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) open source project - Admin, Developer

Remy Lebeau

  • Full Member
  • ***
  • Posts: 183
    • Lebeau Software
Re: https login with Synapse or similar
« Reply #7 on: February 14, 2017, 12:13:36 am »
Shouldnt the code below be enough? The result is: "status":"invalid","heading":"Wrong username or password. (substituted here of course)

You are not URL-encoding the '/' characters in the "url" value:

Code: Pascal  [Select]
  1. WriteStrToStream(HTTPSend.Document, 'j_username=somename&j_password=somepass&url=https%3A%2F%2Fwww.avanza.se%2Fstart');

Also, since HTTPSend.Document is a stream, try resetting its Position back to 0 after writing to it and before posting it:

Code: Pascal  [Select]
  1. HTTPSend.Document.Position := 0;
  2. HTTPSend.HTTPMethod('POST', 'https://www.avanza.se/ab/handlelogin');

If someone knows how to do it with Indy or fphttpclient, thats also fine.

Here is the Indy equivalent:

Code: Pascal  [Select]
  1. Params := TStringList.Create;
  2. try
  3.   Params.Add('j_username=somename');
  4.   Params.Add('j_password=somepass');
  5.   Params.Add('url=https://www.avanza.se/start'); // <-- DO NOT url-encode here! Post() will handle that internally
  6.  
  7.   // make sure an SSLIOHandler component, like TIdSSLIOHandlerSocketOpenSSL, is
  8.   // assigned to the TIdHTTP.IOHandler property beforehand, or at least is in the 'uses'
  9.   // clause if you are using an up-to-date version of Indy...
  10.  
  11.   IdHTTP1.Request.ContentType := 'application/x-www-form-urlencoded';
  12.   IdHTTP1.Post('https://www.avanza.se/ab/handlelogin', Params);
  13. finally
  14.   Params.Free;
  15. end;
« Last Edit: February 14, 2017, 12:15:55 am by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) open source project - Admin, Developer

 

Recent

Get Lazarus at SourceForge.net. Fast, secure and Free Open Source software downloads Open Hub project report for Lazarus