From: Kevin Carhart <kevin@carhart.net>
To: edbrowse-dev@lists.the-brannons.com
Subject: [Edbrowse-dev] possible Referer issue
Date: Tue, 9 Jan 2018 01:22:49 -0800 (PST) [thread overview]
Message-ID: <alpine.LRH.2.03.1801090058330.2887@carhart.net> (raw)
In-Reply-To: <alpine.DEB.2.21.1801081058410.3263@debian.pulsar.com>
Hi everyone
Here are the 3 highest-up divergences that I can find between
amazon.wendy.5 and what I get when the login page rejects me. Do any of
these ring a bell?
I'm on edbrowse 3.7.1 with curl 7.32.0
(1) There is an HTTP parameter called prepopulatedLoginId.
In Karl's file, this is empty
prepopulatedLoginId=
In my attempt, it has a value.
prepopulatedLoginId=ape%3AZXlKamFYQm9aWElpT2lKcWJIRnBPR3BJVUdwcE5FaFFWMkpNYWpKWFZsSXJNelpSWkRVNFJsWkxUVVZtWlhsTVVtcFhhRzVSUFNJc0luWmxjbk5wYjI0aU9qRXNJa2xXSWpvaWJ6WndkbkJNV1RKR2JucFlRV2xEYldwNU5tUm1kejA5SW4wPQ%3D%3D
In JS, this parameter is located at
document.forms[0].prepopulatedLoginId.value
I'm playing around with trying to set this equal to "" in jdb, and it
seems that I can submit with it empty, but the login still fails. So
maybe this parameter is not important.
(2) referer/referrer
In Karl's file, the Referer has parameters appended:
Referer:
https://www.amazon.com/ap/signin?_encoding=UTF8&ignoreAuthState=1.......
In my attempt, there are no parameters appended:
Referer: https://www.amazon.com/ap/signin
I'm playing with the flag 'sr', for send referrer, but this defaults to
on, isn't that correct?
(3) Cookies
As the curl actions proceed, the POST is followed by the first response.
In Karl's file, this response includes several cookies that it does not
send me.
Karl gets 17. I only get the 10 empties from the beginning of the list,
give or take one. I don't get the substantive session-token and the rest
from there.
My guess is that these tokens are critical, and once the site declines to
give them to you, it's all over.
Set-Cookie: ap-fid=""; Domain=.amazon.com; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Path=/ap/; Secure
Set-Cookie: a-ogbcbff=deleted; Domain=.amazon.com; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: x-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Path=/; Secure
Set-Cookie: session-id=""; Domain=.www.amazon.com; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Path=/; Secure
Set-Cookie: session-token=""; Domain=.www.amazon.com; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Path=/; Secure
Set-Cookie: session-id-time=""; Domain=.www.amazon.com; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Path=/; Secure
Set-Cookie: ubid-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Path=/; Secure
Set-Cookie: at-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970
00:00:10 GMT; Path=/; Secure
Set-Cookie: sess-at-main=""; Domain=.www.amazon.com; Expires=Thu,
01-Jan-1970 00:00:10 GMT; Path=/; Secure
Set-Cookie: a-ogbcbff=1; Domain=.amazon.com; Expires=Mon, 08-Jan-2018
08:02:57 GMT; Path=/
Set-Cookie: ubid-main=134-4084505-6559221; Domain=.amazon.com;
Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/
Set-Cookie:
session-token="gjPmaaR/cmKiNkYFBaBJqKSWz4HPsmtIVrP4kLL99w4L+jACyaWiMMeEuiRP8IByZ3qWLDUEwdbrJ/RKsMonLoBF7alCjxY/DXxqlucbZIvN3OkQqOsDqqtT8Ct09OpYEFR7XhuylLtshrcp4IFAlpkbb2kC5hl0IPmPzDtOuFOz7a03nqgAKfWXOi29hykqT0Yvq86CWXVY0jMKne7QbLf0yCfSaQ2zyBDzdGbSe5Y=";
Version=1; Domain=.amazon.com; Max-Age=630720000; Expires=Sun, 03-Jan-2038
07:48:57 GMT; Path=/
Set-Cookie: x-main="KggLFRexG1hFrP8Wjq6TU7wBs?XDfLl6"; Version=1;
Domain=.amazon.com; Max-Age=630720000; Expires=Sun, 03-Jan-2038 07:48:57
GMT; Path=/
Set-Cookie:
at-main=Atza|IwEBILkpNpji4QB_tDibL7Vbc_LUeNK4T9w58lA5USnBv5bgA0mBkadvOphaccTRtKEcmrMmHFKVzrU-msMjzJ17xv519jdxK7a5O1jvDkZovEz8xp16j65WGxDf0BOcOTVAqK5IUCLcNuvNe4LUEdcQNJWCySxNA6ByiffQmZaLGFeRpENhosW2FLduVkp3Mp9-326IaFRtH0VAf9ZVVQqmwiUsoXu64cDNbz-pWr6Jf-aV6r4jRyq8d3EnQE_rKA2JtAZZx3soV6dVa5NEYDzCrB2Kv3uswYNxDyKCLbHGnKmzb6x0IvxGxVFev2FG2Kqw7uHNAqVcE2HPHARdXCrCosZMKa0TG0mbLm3fXLh_e4ntsNcg9hnffEpPHNKVOEPzfmTlCKP2hlSIvUQLhTMybb-F;
Domain=.amazon.com; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/; Secure;
HttpOnly
Set-Cookie: sess-at-main="iXWANpU3F/zV0pkuX+V+jjORKtxLfrHqg8EykI/3fPs=";
Version=1; Domain=.amazon.com; Path=/; Secure; HttpOnly
Set-Cookie:
sst-main=Sst1|PQFHdUdY7OLERZydn_YdxKORCGs1qWc0tmUGPPUUFJmpAJI_Yh53qu-Nzqo63t9WUxGegIHjDdglyghZv-xmdWlQtu4Tem-iIUKkETTKkVARNYAhQes9S176PlcxM58a1qi6OowPPgtOIhljiil9hje6wSvAct4ch9VXHE5gdtEI9gVTK5WyHkZga7prg-EMU01w1vfIakm65_1VoEm8KXVw6O0Iq7E2LNaMOU1wrPekXpWTe2st33T7T3jQxpUXQAJPVhk2mwjYxLOeUjhT5fxWmw;
Domain=.amazon.com; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/; Secure;
HttpOnly
Set-Cookie: lc-main=en_US; Domain=.amazon.com; Expires=Sun, 03-Jan-2038
07:48:57 GMT; Path=/
next prev parent reply other threads:[~2018-01-09 9:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 16:11 [Edbrowse-dev] the amazon saga Chuck Hallenbeck
2018-01-09 9:22 ` Kevin Carhart [this message]
2018-01-09 13:01 ` [Edbrowse-dev] possible Referer issue Chuck Hallenbeck
2018-01-09 22:58 ` Kevin Carhart
2018-01-10 2:55 ` Chuck Hallenbeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.03.1801090058330.2887@carhart.net \
--to=kevin@carhart.net \
--cc=edbrowse-dev@lists.the-brannons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).