http://www.perlmonks.org?node_id=461271


in reply to Log In To guardian.co.uk with WWW::Mechanize

I don't have time to play with this tonight, sorry, but one of the first things I'd do is try the login in firefox with the "Live HTTP Headers" extension turned on. That might give some insight into what's going back and forth.
  • Comment on Re: Log In To guardian.co.uk with WWW::Mechanize

Replies are listed 'Best First'.
Re^2: Log In To guardian.co.uk with WWW::Mechanize
by Cody Pendant (Prior) on May 28, 2005 at 03:37 UTC
    Good call, should have thought of that sooner.

    OK this is what I get:

    http://users.guardian.co.uk/signin/tr/1,13542,-1,00.html POST /signin/tr/1,13542,-1,00.html HTTP/1.1 Host: users.guardian.co.uk User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv: +1.7.8) Gecko/20050511 Firefox/1.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 +,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://users.guardian.co.uk/signin/0,12930,-1,00.html?AU_LOGI +N_ID=myusername&AU_PASSWORD=%2D%2D%2D%2D%2D%2D%2D%2D&AU_PASSWORD_HASH +=12f6c69cf906afb85852b32bc04e4c19&AU_CHALLENGE=1117250755&AU_CHALLENG +E2=c486109c620b57c4bc69b4792179cdb9 Cookie: GU_MU=UVdvQE44Q29AamtBQUR2T2VMWXxpV3RHNEZCQmhZeVIzbEI5dzlPUWdB +PT0%3d; GU_LOCATION=YXVzOjU6dmk6NDpyaWNobW9uZDozOi0xOmJyb2FkYmFuZDotM +zcuODMzOjE0NS4wMDBAOTAxOTgyNDIxMjQ4OTE1NTYyMjUzNTI0NzUxOTE0MzIwNjc0Mj +Qz; CP=*; GU_ST=http%3A//www.guardian.co.uk/ Content-Type: application/x-www-form-urlencoded Content-Length: 199 AU_LOGIN_ID=myusername&AU_PASSWORD=--------&AU_KEEP_ME_SIGNED_IN=on&AU +_PASSWORD_HASH=f67c849de72c3939d7169374f761ab9e&AU_CHALLENGE=11172509 +06&AU_CHALLENGE2=fd62bbf5c99827b9b738eac3cb566c35 HTTP/1.x 301 Moved Permanently Date: Sat, 28 May 2005 03:29:00 GMT Server: Apache/1.3.33 (Unix) Set-Cookie: GU_ME=myusername; path=/; expires=Thu, 27 May 2010 03:29:0 +2 GMT; domain=.guardian.co.uk Set-Cookie: GU_MI=mi%5Fi%3D872201%3Bmi%5Fp%3DCRE%2CTLK%2CBRF%2CMGU%3Bg +u%5Fpk%3DCRE%2CTLK%2CMGU%3Bmi%5Fe%3D%21200505310329%3Bmi%5Fs%3Dba40d2 +702ddb6ca1d9f0eb8c61793554; path=/; expires=Thu, 27 May 2010 03:29:02 + GMT; domain=.guardian.co.uk; httponly; Set-Cookie: GU_MY=200505280339:67f4730c3bbbccb2723f33abb5d3e922; path= +/; expires=Sat, 28 May 2005 03:39:02 GMT; domain=users.guardian.co.uk +; httponly; Location: /signin/status/tr/1,13608,-1,00.html Cache-Control: no-cache Pragma: no-cache Expires: 0 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 ---------------------------------------------------------- http://users.guardian.co.uk/signin/status/tr/1,13608,-1,00.html GET /signin/status/tr/1,13608,-1,00.html HTTP/1.1 Host: users.guardian.co.uk User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv: +1.7.8) Gecko/20050511 Firefox/1.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 +,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://users.guardian.co.uk/signin/0,12930,-1,00.html?AU_LOGI +N_ID=myusername&AU_PASSWORD=%2D%2D%2D%2D%2D%2D%2D%2D&AU_PASSWORD_HASH +=12f6c69cf906afb85852b32bc04e4c19&AU_CHALLENGE=1117250755&AU_CHALLENG +E2=c486109c620b57c4bc69b4792179cdb9 Cookie: GU_MU=UVdvQE44Q29AamtBQUR2T2VMWXxpV3RHNEZCQmhZeVIzbEI5dzlPUWdB +PT0%3d; GU_LOCATION=YXVzOjU6dmk6NDpyaWNobW9uZDozOi0xOmJyb2FkYmFuZDotM +zcuODMzOjE0NS4wMDBAOTAxOTgyNDIxMjQ4OTE1NTYyMjUzNTI0NzUxOTE0MzIwNjc0Mj +Qz; CP=*; GU_ST=http%3A//www.guardian.co.uk/; GU_ME=myusername; GU_MI +=mi%5Fi%3D872201%3Bmi%5Fp%3DCRE%2CTLK%2CBRF%2CMGU%3Bgu%5Fpk%3DCRE%2CT +LK%2CMGU%3Bmi%5Fe%3D%21200505310329%3Bmi%5Fs%3Dba40d2702ddb6ca1d9f0eb +8c61793554; GU_MY=200505280339:67f4730c3bbbccb2723f33abb5d3e922 HTTP/1.x 301 Moved Permanently Date: Sat, 28 May 2005 03:29:03 GMT Server: Apache/1.3.33 (Unix) Set-Cookie: GU_ME=myusername; path=/; expires=Thu, 27 May 2010 03:29:0 +5 GMT; domain=.guardian.co.uk Set-Cookie: GU_MI=mi%5Fi%3D872201%3Bmi%5Fp%3DCRE%2CTLK%2CBRF%2CMGU%3Bg +u%5Fpk%3DCRE%2CTLK%2CMGU%3Bmi%5Fe%3D%21200505310329%3Bmi%5Fs%3Dba40d2 +702ddb6ca1d9f0eb8c61793554; path=/; expires=Thu, 27 May 2010 03:29:05 + GMT; domain=.guardian.co.uk; httponly; Set-Cookie: GU_ST=; path=/; domain=.guardian.co.uk Location: http://www.guardian.co.uk/ Cache-Control: no-cache Pragma: no-cache Expires: 0 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 ---------------------------------------------------------- http://www.guardian.co.uk/

    At which point I'm taken to the front page and I'm logged in.



    ($_='kkvvttuu bbooppuuiiffss qqffssmm iibbddllffss')
    =~y~b-v~a-z~s; print
      Still no time to work on this, but I'm curious enough to poke at it every once in a while. Between different requests to the login page, here's what changes:
      [11:23am] eero:~/tmp/guardian: diff 0,12930,-1,00.html o 236c236 < <input type="hidden" name="AU_CHALLENGE" value="1117293798"><input t +ype="hidden" name="AU_CHALLENGE2" value="af7fb54d3a917e272e2b7abe1353 +bd51"></form></table></td></tr></table> --- > <input type="hidden" name="AU_CHALLENGE" value="1117293788"><input t +ype="hidden" name="AU_CHALLENGE2" value="59e3978f05fde8396395a576645c +d04b"></form></table></td></tr></table> [11:23am] eero:~/tmp/guardian:
      ...and here's where in the page source the work is done:
      function preparePassword() { var form = document.regpss1; var dummy = '----------------------------------------'; form.AU_PASSWORD_HASH.value = binl2hex(core_hmac_md5(form. +AU_CHALLENGE2.value,form.AU_PASSWORD.value)); form.AU_PASSWORD.value = dummy.substr(0,form.AU_PASSWORD.v +alue.length); regpss_submitted = true; form.submit(); }

      I'm guessing that you'll need to take your password, run it through that hashing sequence and then return that as the actual password in the post. Or something like that.

      I'm surprised nobody's done this yet.
        Oh god. There's an even worse mea culpa coming up.

        My face is literally red.

        I didn't check whether the login was successful or not. I saw an error message and assumed that it meant the login wasn't successful. I am an idiot. If I ignore the error and continue, I am actually logged in.

        I will now dress in virtual sackcloth and do Good Works among the Less Fortunate for a year.



        ($_='kkvvttuu bbooppuuiiffss qqffssmm iibbddllffss')
        =~y~b-v~a-z~s; print
      So what do you think you should do now?