Re: curl and form submission

To: debian-user@lists.debian.org
Subject: Re: curl and form submission
From: tomas@tuxteam.de
Date: Wed, 8 Jun 2016 12:20:38 +0200
Message-id: <[🔎] 20160608102038.GA18966@tuxteam.de>
In-reply-to: <4068f615-b5ff-12b7-ba5c-ad5398fefb75@gmail.com>
References: <[🔎] 113f1c5d-9c5d-458d-f662-3b25712e3284@gmail.com> <[🔎] 20160608071117.GA13374@tuxteam.de> <4068f615-b5ff-12b7-ba5c-ad5398fefb75@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[please keep replies to list, so that others can chime in]

On Wed, Jun 08, 2016 at 10:03:38AM +0000, Bob wrote:
> 
> On Wednesday 08 June 2016 07:11 AM, tomas@tuxteam.de wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Tue, Jun 07, 2016 at 03:33:40PM +0000, Bob wrote:
> >>Hello list,
> >>
> >>I'm trying to automate my internet login which is based on a web
> >>form [...]

> >>Your clue will be helpful.
> >Most probably yes: those "modern" login forms elicit a response with
> >some session key which the browser uses from then on to "prove" to
> >the server that authentication happened.
> >
> >You have to simulate that.

[...]

> You are correct Tomas,
> 
> When I call the curl and investigate very first few lines I get the session
> 
> ~~~~~
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=A22B8981871A8A4779F5DEB8ACC5D1B8; Path=/loginarea
> < Content-Type: text/html
> < Transfer-Encoding: chunked
> 
> So, I wonder If I can make my previous command [curl -sd
> "Username=<username>&Password=<password>&submit=Login"
> http://<link>/Login.jsp
> ] work with correct session. How can I collect the session then ? I
> like to share, if any other tool can help me to autologin with the
> web based form, I am open with that too.

First you have to realize that the whole process consists of several
back-and-forths (your web browser hides this fact from you). The
client contacts the server, the server sees "no session" and redirects
to the login page, this comes back with a session ID, then the
browser goes to do useful work, providing the just-received cookie.

Then, there's the option -c to curl (cf. curl's excellent, albeit a
bit terse documentation), in which you provide a file name where
curl is supposed to manage cookies for a request series.

So the rough schema will be (at least):

  curl -c <cookie jar> login-page       # this stores above cookie
  curl -c <cookie jar> some-useful-page # this uses the cookie

perhaps more back-and-forths.

Go install firebug (if you're using firefox as your browser) and have
a look what your browser is doing: this will give you an idea of what
it'd take to teach curl.

Alternatively, and if the connection is not encrypted, you can spy on
it with wireshark.

In any case you'll need a bit of patience to be able to control all
this. Just don't hesitate to come back!

HTH
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAldX8XYACgkQBcgs9XrR2kY+sgCfdQwmRSlyTt7zTwkYXqgaLN1/
5fAAniEEP+DfkNeKDaj4dBSN7MFr6Vf6
=qh5B
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: curl and form submission
  - From: Bob <bobnlinux@gmail.com>

References:
- curl and form submission
  - From: Bob <bobnlinux@gmail.com>
- Re: curl and form submission
  - From: <tomas@tuxteam.de>

Prev by Date: Re: Version and Release
Next by Date: Re: Version and Release
Previous by thread: Re: curl and form submission
Next by thread: Re: curl and form submission
Index(es):
- Date
- Thread