I'm trying to create a function in ColdFusion that will allow me to log in to the EA Sports Web App so I can retrieve my profile data and display it on my site.
Looking at the source code from their login page the first step just appears to be a simple login form:
<form method="post" id="login_form" action="https://www.ea.com/uk/football/services/authenticate/login" class="login_form" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="redirectUrl" value="http://www.ea.com/uk/football/fifa-ultimate-team" />
<input type="hidden" name="failureUrl" value="http://www.ea.com/uk/football/login?failed=true&redirectUrl=http%3A%2F%2Fwww.ea.com%2Fuk%2Ffootball%2Ffifa-ultimate-team" />
<input type="hidden" name="captchaFailureUrl" value="http://www.ea.com/uk/football/login?failed=true&redirectUrl=http%3A%2F%2Fwww.ea.com%2Fuk%2Ffootball%2Ffifa-ultimate-team" />
<input id="email" name="email" class="text" type="text" tabindex="1" />
<input id="password" name="password" class="text" type="password" tabindex="2" />
<input type="checkbox" id="stay-signed" name="stay-signed" value="ON" checked="checked" tabindex="3" />
</form>
I'm using the CFHTTP request to submit the following:
<cfhttp url="https://www.ea.com/uk/football/services/authenticate/login" method="POST" result="myResult">
<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded" />
<cfhttpparam type="formField" name="email" value="#Variables.user#" />
<cfhttpparam type="formField" name="password" value="#Variables.password#" />
</cfhttp>
When I dump what's returned, the fileContent contains the following:
<authenticate><success>0</success></authenticate> which I'm assuming means that the login has not been successful.
I know I'm not giving you much to play with here but there doesn't seem to be a great deal more to trying to get the login to authenticate. Can anyone point out where I might be going wrong please?
I'm not sure if this will solve your problem but there are a few things to consider when you submit a form remotely.
First, is that you do not know what logic resides behind the form so you should submit EVERYTHING in the form in case the handler needs it for something. If it expects a form field that you did not submit, an error will occur and you will not get logged in.
Second, you could technically consider your actions, although perfectly legitimate for your use, a bot or hack. The target website could be looking to make sure the handler is actually being accessed by the form. They could be looking at the HTTP_REFERER or they could even be doing some more fancy stuff like looking at the duration of your session because no HUMAN could submit a form in .0001 seconds. In these cases you're likely not to get logged in at all unless you discover a flaw in their security logic.
Third, part of securing the site some logic also looks at the client to make sure you're a real browser. The default value of the userAgent attribute is "COLDFUSION". If the target is expecting something longer, or contains a valid browser name, the script would assume you are a bot and reject the request. The solution for this is easy though. Just put a good browser name in your userAgent attribute. You can get yours by dumping the cgi scope. The problem with this is that you should maintain it some how so you're not trying to use an old browser 5 years from now and the target says 'Sorry, chum. We don't support IE6 any more...'
<cfhttp userAgent = "Mozilla/4.0 (compatible; MSIE 7.0; {...}" ...>
All websites that log you in need to use cookies to achieve this as this is how they keep you logged in and maintain a session.
That cookie is then sent to the server with each subsequent page request to authenticate you as being logged in.
So you will need to emulate this with your cfhttp requests.
See this article
http://www.bennadel.com/blog/725-Maintaining-Sessions-Across-Multiple-ColdFusion-CFHttp-Requests.htm
Related
I have read through many answers on this topic but none seem to apply to what I am trying to do (or I am misunderstanding the problem entirely). Where a lot of my confusion lies is around whether it's the parent window or the iFrame that needs settings changed.
We have a small portal that allows users of our customers (asp mvc core 6 multi tenant app) to login and view their data. So far it works great, all but 1 of our customers do not iFrame the portal, we are trying to make it so they can frame our portal. They have their own domain.
Our authentication is the regular ASP Identity using cookies that is built in to the framework.
I've recreated a similar setup, I have a simple parent site that has this (the sub domain is their own sub domain to our site and if you go there you get the regular portal).
<div class="text-center">
<iframe src="https://sub.ourdomain.com" width="525" height="800" name="b3iframe"></iframe>
So far anything I do other than link to a new page fails within the iFrame. I can't POST a form, use AJAX, etc. Another problem is even if try to log them in (without POSTING a form, just hardcoded login for testing) the cookie does not set and the portal returns to the login page.
I have tried setting 'same-site=none' on both the parent and the framed site. (like what this describes).
I have tested simple things like making a fetch request and that fails (I get a 302)
All POST calls fail (even ones that don't require authentication, just test pages fail with a 400). When I get the 400 response code it is displayed within the frame.
I am aware and have used the ability to pass messages between the parent and iFrame but I don't think that can solve the cookie/POST problem.
I have tried using the 'target' attribute on the form to point to the iFrame but it appears that is for situations where the form is not inside the frame
The iFrame code can be just a simple login form:
<form method="post" id="loginForm">
<div class="form-group">
<label>Email Address</label>
<div>
<input asp-for="UserName" class="form-control" />
</div>
</div>
<div class="form-group">
<label>Password</label>
<div>
<input asp-for="Password" type="password" class="form-control" />
</div>
</div>
<div class="mt-5">
<button type="submit" style="width:100%" class="btn btn-primary tenant-custom-button">Log in</button>
</div></form>
What's frustrating is even in a mock parent website that I made and have full control of I can't seem to set it up so that the iFrame can use cookies or POST/GET (the test parent website is also ASP MVC CORE). The only thing I can do is have links to other pages without auth or POSTS.
Thanks for your time,
Brian
#model Task3.Models.NewUser
<form action="" method="post">
<label>first Name </label>
<input type="text" placeholder="enter name" name="firstName"/>
<input type="text" placeholder="enter last name" name="lastName"/>
<button type="submit">Submit</button>
</form>
This code works even without asp-controller and asp-action. Why should I use those then?
The tag helpers asp-controller and asp-action can be used to automatically generate a target URL but you don’t have to use them. All they do is automatically generate the href attribute for links and action attributes for forms. If you want to fill in thos values manually, there is nothing that’s stopping you from doing that.
However, using the tag helpers has a clear benefit: The actual URL that you have to use depends on various things that affect your application’s routing. So if you use manual values, you have to take that into account. And if your routing changes (for whatever reason), you have to manually update the URLs throughout your templates.
By using the tag helpers, you are attaching the target location to something that is usually rather static: A controller action. So that way, you decouple the template from your routing configuration.
One more note for form actions specifically: If you do not specify a form action, the browser will automatically post to the current URL. So if you have a POST handler on the same route as the form, then you can totally omit the action and depend on that behavior.
I have recently started building a custom PC website with Serif Web X8.
I was trying to make a form that outputted its value to another page where it could be payed , after a while I managed to get some code (via hours of copy paste and edit) that was a form that sent its value to another page , however I do not know how to then get the variable that is the price and set it as the price for a paypal button.
I tried this:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="custom" value="<?=$finalpriceexcvat;?>">
<input type="image"
src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_buynowCC_LG.gif" border="0"
name="submit" alt="PayPal – The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif"
width="1" height="1">
</form>
But when it redirects to paypal its says "Some required information is missing or incomplete. Please correct your entries and try again."
I have gone through the code and checked it against some other html code that does the same thing, but to no avail.
Am I missing any code?
Here is the link to a sample form.
I have my own design of a search box in my website and was keen on keeping it rather than displaying Google's design.
<div class="search-header">
<form action="#">
<input type="search" value="" placeholder="Search.." autocomplete="off" required="required" name="s" />
<input type="submit" value="search" />
</form>
</div>
The following code is the one I have on my site. It came already with the template I bought. How do I keep the same design and add Google custom search to it?
We'll want to start by looking here for more information.
https://developers.google.com/custom-search/docs/tutorial/introduction
This will tell you how to get started with google's custom search.
I need something to do a role based permission when rendering elements on a page exactly like implemented in JBoss Seam where you have the rendered tag while declaring the page elements. My doubt is if it is possible to do that using standard JAAS?
The container(weblogic) is connected to the LDAP server where the user is associated with a bunch of groups/roles and I would like to use some declarative approach to render menu elements based on the groups the user logged in belongs. That would be exactly like the Roles/rendered implemented in JBoss Seam 2. Is it possible to do that or something similar with standard J2EE? If not, Is there some Open Source API who would do the job?
Thanks in advance.
after some days of research what I did was configured weblogic realm to connect to the LDAP and than using a standard form login:
<form method="POST" action="j_security_check">
<p>Username: <input type="text" name="j_username"/></p>
<p>Password: <input type="password" name="j_password"/></p>
<input type="submit" value="Login"/>
</form>
After that I had my interface rendering using:
if(request.isUserInRole("ROLE_NAME"));
to check if the logged in user should be presented with a specific interface fragment. It worked.