https login with Synapse or similar

[kapibara]

I need to login with Synapse HTTPSend or similar to a webpage where I'm a customer, but don't manage. There is no redirect so it should actually be straightforward.

Three values:

j_username
j_password
url

Shouldnt the code below be enough? The result is: "status":"invalid","heading":"Wrong username or password. (substituted here of course)

Code: Pascal  [Select][+][-]

1. WriteStrToStream(HTTPSend.Document, AnsiString('j_username=somename&j_password=somepass&url=https://www.avanza.se/start'));
2.  
3. HTTPSend.HTTPMethod('POST','https://www.avanza.se/ab/handlelogin');
4.  

I have added "ssl_openssl" to the uses, because thats needed for https I read.

If someone knows how to do it with Indy or fphttpclient, thats also fine.

[rvk]

You need to know how the server is expecting those three values.
Now you just pass them like they are on an URL-line (URLEncoded). That seldom works.

But maybe the server expects them in a JSon (the same as it answers).

Or maybe it expects them in the form of form-data (like http-page) with mime-type "multipart/form-data; boundary=xx".


Also, when you are able to login you probably also need to store the cookies/session variables because retrieving subsequent pages need them.


A small example I use in Delphi to convert the &-form to real form-date like a HTTP-form does:

Code: Pascal  [Select][+][-]

1. { Converts field1=a&field2=b to proper form-data }
2. procedure ConvertPostFields(var EncodedFields: string; var MimeType: string);
3. var
4.   Bound, s: string;
5.   Ts: TStringList;
6.   i: integer;
7. begin
8.   Bound := IntToHex(Random(MaxInt), 8) + '_Synapse_boundary';
9.   Ts := TStringList.Create;
10.   try
11.     Ts.Delimiter := '&';
12.     Ts.StrictDelimiter := true;
13.     Ts.DelimitedText := EncodedFields;
14.     s := '';
15.     for i := 0 to Ts.Count - 1 do
16.     begin
17.       s := s + CRLF;
18.       s := s + '--' + Bound + CRLF;
19.       s := s + 'Content-Disposition: form-data; name="' + Ts.Names[i] + '"' + CRLF;
20.       s := s + CRLF + Ts.ValueFromIndex[i];
21.     end;
22.     s := s + CRLF + '--' + Bound + '--' + CRLF;
23.     MimeType := 'multipart/form-data; boundary=' + Bound;
24.     EncodedFields := s;
25.   finally
26.       Ts.Free;
27.   end;
28. end;
29.  
30. ...
31. Param := AnsiString('j_username=somename&j_password=somepass&url=https://www.avanza.se/start');
32. ConvertPostFields(Param, Mime); // this converts the &-fields  to proper form-data
33. WriteStrToStream(HTTPSend.Document, ansistring(Param));
34. HTTPSend.MimeType := Mime;
35. HTTPSend.HTTPMethod('POST','https://www.avanza.se/ab/handlelogin');
36.  

[kapibara]

Thanks. I went ahead and tried that code, but HTTPSend.HTTPMethod returned false. This is what the Param variable contained when it was sent:

Code: Pascal  [Select][+][-]

1. #13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_username"'#13#10#13#10'somename'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_password"'#13#10#13#10'somepass'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="url"'#13#10#13#10'https://www.avanza.se/start'#13#10'--463F8555_Synapse_boundary--'#13#10

How do I find out if the site needs something more?

[rvk]

Yes, the source of the posted fields are

Code: [Select]

--463F8555_Synapse_boundary
Content-Disposition: form-data; name="j_username"

somename
--463F8555_Synapse_boundary
Content-Disposition: form-data; name="j_password"

somepass
--463F8555_Synapse_boundary
Content-Disposition: form-data; name="url"

https://www.avanza.se/start
--463F8555_Synapse_boundary--
But I had another look at that page and it probably can take the url-encoded form you used.

Did you set all the correct parameters (like mimetype) ?
Did you url-encode the url-parameter?
Is your username password correct?

Code: Pascal  [Select][+][-]

1. WriteStrToStream(HTTPSend.Document, AnsiString('j_username=somename&j_password=somapass&url=https%3A%2F%2Fwww.avanza.se%2Fstart'));
2. HTTPSend.MimeType := 'application/x-www-form-urlencoded';
3. HTTPSend.HTTPMethod('POST','https://www.avanza.se/ab/handlelogin');

[guest60499]

Thanks. I went ahead and tried that code, but HTTPSend.HTTPMethod returned false. This is what the Param variable contained when it was sent:

Code: Pascal  [Select][+][-]

1. #13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_username"'#13#10#13#10'somename'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="j_password"'#13#10#13#10'somepass'#13#10'--463F8555_Synapse_boundary'#13#10'Content-Disposition: form-data; name="url"'#13#10#13#10'https://www.avanza.se/start'#13#10'--463F8555_Synapse_boundary--'#13#10

How do I find out if the site needs something more?

I would suggest capturing a successful login performed by your browser. The best tools for this might be in your browser already (Firefox Ctrl+Shift+Q, Network Monitor plugin for Chrome) but there is always WireShark. This will quickly get you all of the data rvk suggested you check.

It's also possible to look at the website's source if it doesn't document the login API, but it's possible to miss hidden form fields this way.

[kapibara]

Just got a really bad flu :-( Will try this in a few days.

[Remy Lebeau]

I would suggest capturing a successful login performed by your browser. The best tools for this might be in your browser already (Firefox Ctrl+Shift+Q, Network Monitor plugin for Chrome) but there is always WireShark.

Wireshark cannot decode HTTPS traffic unless you have the server's private key.  Fiddler can decode HTTPS, though.

[Remy Lebeau]

Shouldnt the code below be enough? The result is: "status":"invalid","heading":"Wrong username or password. (substituted here of course)

You are not URL-encoding the '/' characters in the "url" value:

Code: Pascal  [Select][+][-]

1. WriteStrToStream(HTTPSend.Document, 'j_username=somename&j_password=somepass&url=https%3A%2F%2Fwww.avanza.se%2Fstart');

Also, since HTTPSend.Document is a stream, try resetting its Position back to 0 after writing to it and before posting it:

Code: Pascal  [Select][+][-]

1. HTTPSend.Document.Position := 0;
2. HTTPSend.HTTPMethod('POST', 'https://www.avanza.se/ab/handlelogin');

If someone knows how to do it with Indy or fphttpclient, thats also fine.

Here is the Indy equivalent:

Code: Pascal  [Select][+][-]

1. Params := TStringList.Create;
2. try
3.   Params.Add('j_username=somename');
4.   Params.Add('j_password=somepass');
5.   Params.Add('url=https://www.avanza.se/start'); // <-- DO NOT url-encode here! Post() will handle that internally
6.  
7.   // make sure an SSLIOHandler component, like TIdSSLIOHandlerSocketOpenSSL, is
8.   // assigned to the TIdHTTP.IOHandler property beforehand, or at least is in the 'uses'
9.   // clause if you are using an up-to-date version of Indy...
10.  
11.   IdHTTP1.Request.ContentType := 'application/x-www-form-urlencoded';
12.   IdHTTP1.Post('https://www.avanza.se/ab/handlelogin', Params);
13. finally
14.   Params.Free;
15. end;