View Full Version : Security problem

08-07-2004, 01:10 PM
I'm trying to connect to a server by script. And when I look at their form, there are no hidden fields, and they don't even set cookies.
When I acces the script that makes the login, it returns "Your user session has expired" but there are no cookies stored.
What kind of security is this? How do they know that you are logged in, if they doesn't set cookies?

08-08-2004, 12:32 AM
- they use sessions (and propagate the sessionID in the querystring)
- they use a db and check against your IP (and wrongly assume that that will stay the same during your session and that it is usersspecific)

08-16-2004, 11:49 AM
Ok, so that I understand. But what can I do to make my login work? A hint? Does this have something to do with headers I'm getting back from the server or do I have to send a specific header or a post field.
I'm lost.

08-16-2004, 11:55 AM
The server sends me back an 'ETag' header. I've looked over the internet for documenting this ETag header and I'm not really sure what should I send back to the server. I think the ETag header is coded and I do not have the decode key. Does this complicate things more than they were?

08-16-2004, 03:34 PM
it's impossible for us to advice since we don't see what's going on.

why don't you cantact the other party and ask what goes wrong ot how you can login correctly?

08-16-2004, 04:01 PM
I agree, there are just to many issues that could happen during a login procedure, so we can't give good advice. What I would do in your case is to watch the network traffic while you do a standard login through their website. Capture the HTTP headers sent and re-send them with your script. There is a helpful Mozilla plugin that can assist with this task: LiveHTTPHeaders (http://livehttpheaders.mozdev.org/)

08-17-2004, 10:28 AM
Thanx, this LiveHTTPHeaders really helps me.
Hope I'll do it eventualy.