-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 08, 2016 at 01:02:54PM +0000, Bob wrote:
[...] > Hello Tomas, > > Thanks for your explanation. At my end a funny thing happens which > now questions the whole web based authentication of this provider. I > have discovered a simple link (which happens during a quick > redirection after pressing login button) > > http://<link>/login1.html?a=%3F<username>%2B%2F%40&b=%3F<password>%2B%2F%40 > > I logout to kill my session and then put the same on browser, I > logged in straight :-) Again, your browser is pulling your leg. What you are doing with this command line is equivalent to sending your filled in login form (you are sending what the browser would do via "URL query parameters". The next step is the server sending back a fresh session ID in a cookie (and possibly a redirect to the "real" page). From then on you're in business. > How can I send that link through command line then ? Simple: just "curl" it: curl 'http://<link>/login1.html?a=%3F<username>%2B%2F%40&b=%3F<password>%2B%2F%40' but as I said, this'll just give you the first step in a multi-step process. You'd have possibly to follow (at least) one redirect, offering the cookie you just harvested. That's where curl's options - -c (set cookie jar) and -L (follow redirect) come in. Try to find a way to watch what your browser's doing. It's much more instructive than reading my incomplete guesses :-) regards - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAldYHW8ACgkQBcgs9XrR2kZ9qACfQ+n5GTVFsO22i060kFqu3OJR RWoAmwcgPTy21GVVCjaZ6+UuDVfzCgT2 =qaKj -----END PGP SIGNATURE-----
