I have a google apps domain that i'd like to create a custom login page for but am having problems.
Google provides documentation for SSO/OpenID/userApi that will do this. The implementation on these docs that I can understand states once a user hits your site they will be sent to the regular gmail login and then sent back to your site once logged in. I'm trying to have them login in a custom page and not be sent over to googles default gmail login. There is other documentation that seems to require SSO and a lot of integration that I am too incompetent to understand which would let you do that, but as I said it's way over my head.
Then I thought I could just copy the form element and create custom css seeing as the action value on the form would authenticate via google. This worked sporadically until I figured out that when you go to https://accounts.google.com/ServiceLoginAuth (the default gmail login) it creates a value (name="GALX" value=Randomletters) in the html form that must match a cookies name and value to be able to submit and authenticate to google.
From here I thought no problem I'll create a hidden iframe to the google login so the cookie populates (it does get the cookie) and then read and insert the value in the html form. That is until I discovered you cannot alter or read another domains cookies for security reasons which makes perfect sense.
Then I thought I could just use php's file_get_contents on the gmail login url to get cookie and the right html and just insert the html into my custom page. I received the html but no cookie this time.
Is there anyway to send a request that would return the html/cookie pair with something like php's file_get_contents('url') or curl? This way I could traverse the file_get_contents object and insert the html into the page via the DOM. Or am I barking up a tree that will never work because security reasons specifically prevent this?
If the above isn't possible could someone explain how I could login my users via a custom login screen?
the google docs for such a project are:
https://developers.google.com/appengine/docs/python/gettingstartedpython27/usingusers
https://developers.google.com/appengine/docs/python/users/#Python_Signing_in_and_out
https://developers.google.com/google-apps/sso/saml_reference_implementation
I believe this is what you're looking for...
http://curl.haxx.se/docs/http-cookies.html
Related
Is there a way that I can read the $_POST of a website that I don't own? For example I want to auto fill someone else's form for my users when they go there, so I wanted to reverse engineer their post.
Or is there a way to auto fill a form on someone else's form?
EDIT:
Some people asked what my motives are. I'm working with a group that doesn't have the right to change a website but wants more registration, and I wanted to see if I could remake the form so it was auto-filled to make registration easier.
The short answer is NO, but, you can sniff the HTTP request.
See this question: can-ones-post-request-data-be-sniffed
Basically, if it's a simple form, you don't need to read the post data, you can simply create an identical form with the same action url and set the method to post. You can auto fill this form and send it to a different site.
You could use FireBug or simply the browsers developer tools and analyze the network tab.
You should find all relevant information in the header section.
Browsers are built NOT to allow interaction between different sources, for example an iframe of site1.com inside site2.com can't communicate with JS.
Being able to read $_POST related to another site would be a security disaster. To assist the user the browsers utilize "auto-fill". That's all you get.
If it's a limited amount of peer-sites you may however contact the respective owner of the site and ask them to add support for passing arguments to their login(?) or registration(?) form, for example:
theothersite.com/register.php?email=theEmailYouKnow
By generating this link on YOUR server you get the email to popup on the other site IF implemented by the maintainer of the other site.
I know how to load a page from another website and analyze it but the website I'm trying to load some pages from, doesn't let unregistered users to visit those pages. I do have a username and a password to load those pages normally in my browser, but I'm wondering if I could do it in PHP or not? :/
I'm not sure what information I should give you about the website but if what I already told is incomplete just ask what information I should give.
Thanks.
Most websites use cookies to store information related to your authentication status.
To get past this programatically, you'll have to send this information everytime you make a request. Here is how you can get it -
Using a tool like firebug, inspect the cookies the site sends when you login manually.
Write code to capture this information and send this cookie with subsequent requests
Note: Do check the ToS of the site you are trying to scrape. Some sites do not permit you to scrape or use their content without prior permission
Research php SOAP. It includes the tools to log in to another site, giving your php script access to the HTML which would normally be presented to the browser. BTW, this is called scraping
I need to load the login page of another website (different domain), wait for the user to fill it in and submit it, then read the URL/Location/Querystring for a token parameter to my site and close the login page.
Don't want the username or password, only interested in the returned token (http://www.othersite.com/?token=blahblahblah), which will then be passed as a querystring to a page on my domain (http://www.mydomani.com/loadtoken.php?token=blahblahblah).
Currently, a user has to do this in a separate page, copy and paste the token into my page, since these tokens only have a short life, it's somewhat irritating practice, and if it can be done behind the scenes by the site instead it would make it simpler for everyone.
Reading around on iframes, divs and ajax suggest this is not possible due to security policies, cross site scripting, etc.
Is it possible? What should I be looking for or concentrating on, or can you give some examples.
Thanks for your help.
Edit: Should have said, I understand that it's possible to take the username and password and do a POST behind the scenes, but I really want to avoid making the users give my site their login details to another site, for obvious reasons.
The simplest method is to present the login form on your own site. The form posts to your server, and the handling script then does a CURL request to do its own request to the other server. This sends the login response (which presumably contains that token) to your server.
However, if this token takes the form of a cookie, and the cookie's required for the user to do further operations on their own on this other site, then this won't work. There is absolutely no way for your server to accept the cookie on the user's behalf, then send the cookie to the user in such a way that it appears to have been set by the other server.
The easiest way would be for you to post that form's information to the remote host and have that site send the token to a callback script on your own host.
I need to load the login page of another website (different domain), wait for the user to fill it in and submit it, then read the URL/Location/Querystring for a token parameter to my site and close the login page.
You can't do that
What should I be looking for
OAuth / XAuth (which will require the co-operation of the site you are trying to log in to)
I would like to enable an "auto login" button for my users. By pressing the button the users will be logged in to a different site with the username and password that I have added inside the code.
My site uses php and this site is written on asp.
Is this possible?
Thanks in advance
You'd have to use CURL in PHP in order to send the POST data to your ASP script in the remote site.
Nevertheless, the ASP site might have some inner-validations which can lead to refuse your request, it's worth a try, though!
To set CURL to user POST, check out the setopt CURL function options, you have to set the CURLOPT_POST option to TRUE, but you might find that (depending on the ASP site), you need to activate/deactivate other options.
Cheers!
This depends on the website you're trying to login to.
In a website not using a key-based system for each visitor this can be achieved pretty easily.
First navigate to the page yourself that contains the login form and show it's page source.
Jot down every <input>-tag's name and value and determine which one is the username & password. Also note the form's action to see where the data is going towards.
Now you can use curl to send a user to the website, just inject the post data and apply your own username & password to it.
A. If you don't own the remote site:
Have you tried to post your authentication parameters directly to the ASP.net page? Then you could also try using CURL but either way, be rest assured that the site owner might lock you out anytime by implementing simple CSRF protection.
B. If you own the remote site:
You can share sessions with a unique key using a common database.
I want to create my own personal login gateway into Gmail/Facebook/any other site. In this gateway I enter my master username and password, then I can choose where to login (gmail/facebook/etc) without entering those usernames because they are stored on the server.
I tried to implement this by using cURL to send POST request with the headers and post data sent in Firefox during regular login. However, this doesn't work for neither facebook or gmail.
Has anyone tried this or have an idea about why this doesn't work?
Thanks.
// Edited
I am thinking the problem that it doesn't work lie in the fact that the IP address of the php server which sent the curl request to gmail is different from my browser's so, when the response from the gmail server is fed back to the browser, it still cannot authenticate.
Or is that the cookie I sent using curl to Gmail server actually changes according to time.
Based on your reply to my comment cURL is useless for your problem. You need to authenticate your browser with your services (gmail, facebook, ...), what you are doing now is authenticating your script (or your server).
You will have to use JavaScript to accomplish what you want. If you store your credentials for the services on your server, then send them back to the client once you successfully log-in into your webpage. Then you could create a hidden iframe with the "src" attribute set to the login page of the chosen service. Once the iframe loads you can fill the login information (username/password) into the appropriate fields and submit the form. Once this is complete you should be loged-in into your services.
There are probably some other techniques but this is the first that springs to mind ...
This is not necessarily feasible, Gmail and Facebook may be doing very simple checks to see who the referer is and when it comes from your site rather than their own login page refuses to login. This is basic security checks.
You would need to look at their api to see if you can do anything, or possibly you could use javascript and a firefox plugin to write your username and password to the webform then submit the form, a bit of a hack but might do what you want.
There is no reason why the cURL method you tried wont work with the correct headers. playing around scraping sites like digg.com i found i needed a valid USER AGENT header and of course an appropriate REFERER URL, keep going with the curl technique if that will work best for you overall. use an http header add-on to firefox to see what headers you are sending to gmail and then fake them completely.
Tryusing firebug to find out what the response returned, It should always give you the best lead.
I see no reason why it wont work, I read my Gmail and analytics with Curl.
Have you configured curl to accept and store cookies? Usually once you've been authenticated for an online service it will send you a security token in the form of a cookie that you can send back with every subsequent request to verify your authorisation.