From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=8.23.224.61; helo=out.smtp-auth.no-ip.com; envelope-from=kevin@carhart.net; receiver= Received: from out.smtp-auth.no-ip.com (smtp-auth.no-ip.com [8.23.224.61]) by hurricane.the-brannons.com (Postfix) with ESMTPS id 7B418779FB for ; Tue, 9 Jan 2018 01:19:38 -0800 (PST) X-No-IP: carhart.net@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from carhart.net (unknown [99.52.200.227]) (Authenticated sender: carhart.net@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTPA id E61A91E7 for ; Tue, 9 Jan 2018 01:22:50 -0800 (PST) Received: from carhart.net (localhost [127.0.0.1]) by carhart.net (8.13.8/8.13.8) with ESMTP id w099MoK0024753 for ; Tue, 9 Jan 2018 01:22:50 -0800 Received: from localhost (kevin@localhost) by carhart.net (8.13.8/8.13.8/Submit) with ESMTP id w099MnXw024750 for ; Tue, 9 Jan 2018 01:22:50 -0800 Date: Tue, 9 Jan 2018 01:22:49 -0800 (PST) From: Kevin Carhart To: edbrowse-dev@lists.the-brannons.com In-Reply-To: Message-ID: References: User-Agent: Alpine 2.03 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: [Edbrowse-dev] possible Referer issue X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.24 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jan 2018 09:19:39 -0000 Hi everyone Here are the 3 highest-up divergences that I can find between amazon.wendy.5 and what I get when the login page rejects me. Do any of these ring a bell? I'm on edbrowse 3.7.1 with curl 7.32.0 (1) There is an HTTP parameter called prepopulatedLoginId. In Karl's file, this is empty prepopulatedLoginId= In my attempt, it has a value. prepopulatedLoginId=ape%3AZXlKamFYQm9aWElpT2lKcWJIRnBPR3BJVUdwcE5FaFFWMkpNYWpKWFZsSXJNelpSWkRVNFJsWkxUVVZtWlhsTVVtcFhhRzVSUFNJc0luWmxjbk5wYjI0aU9qRXNJa2xXSWpvaWJ6WndkbkJNV1RKR2JucFlRV2xEYldwNU5tUm1kejA5SW4wPQ%3D%3D In JS, this parameter is located at document.forms[0].prepopulatedLoginId.value I'm playing around with trying to set this equal to "" in jdb, and it seems that I can submit with it empty, but the login still fails. So maybe this parameter is not important. (2) referer/referrer In Karl's file, the Referer has parameters appended: Referer: https://www.amazon.com/ap/signin?_encoding=UTF8&ignoreAuthState=1....... In my attempt, there are no parameters appended: Referer: https://www.amazon.com/ap/signin I'm playing with the flag 'sr', for send referrer, but this defaults to on, isn't that correct? (3) Cookies As the curl actions proceed, the POST is followed by the first response. In Karl's file, this response includes several cookies that it does not send me. Karl gets 17. I only get the 10 empties from the beginning of the list, give or take one. I don't get the substantive session-token and the rest from there. My guess is that these tokens are critical, and once the site declines to give them to you, it's all over. Set-Cookie: ap-fid=""; Domain=.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ap/; Secure Set-Cookie: a-ogbcbff=deleted; Domain=.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: x-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: session-id=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: session-token=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: session-id-time=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: ubid-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: at-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: sess-at-main=""; Domain=.www.amazon.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure Set-Cookie: a-ogbcbff=1; Domain=.amazon.com; Expires=Mon, 08-Jan-2018 08:02:57 GMT; Path=/ Set-Cookie: ubid-main=134-4084505-6559221; Domain=.amazon.com; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/ Set-Cookie: session-token="gjPmaaR/cmKiNkYFBaBJqKSWz4HPsmtIVrP4kLL99w4L+jACyaWiMMeEuiRP8IByZ3qWLDUEwdbrJ/RKsMonLoBF7alCjxY/DXxqlucbZIvN3OkQqOsDqqtT8Ct09OpYEFR7XhuylLtshrcp4IFAlpkbb2kC5hl0IPmPzDtOuFOz7a03nqgAKfWXOi29hykqT0Yvq86CWXVY0jMKne7QbLf0yCfSaQ2zyBDzdGbSe5Y="; Version=1; Domain=.amazon.com; Max-Age=630720000; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/ Set-Cookie: x-main="KggLFRexG1hFrP8Wjq6TU7wBs?XDfLl6"; Version=1; Domain=.amazon.com; Max-Age=630720000; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/ Set-Cookie: at-main=Atza|IwEBILkpNpji4QB_tDibL7Vbc_LUeNK4T9w58lA5USnBv5bgA0mBkadvOphaccTRtKEcmrMmHFKVzrU-msMjzJ17xv519jdxK7a5O1jvDkZovEz8xp16j65WGxDf0BOcOTVAqK5IUCLcNuvNe4LUEdcQNJWCySxNA6ByiffQmZaLGFeRpENhosW2FLduVkp3Mp9-326IaFRtH0VAf9ZVVQqmwiUsoXu64cDNbz-pWr6Jf-aV6r4jRyq8d3EnQE_rKA2JtAZZx3soV6dVa5NEYDzCrB2Kv3uswYNxDyKCLbHGnKmzb6x0IvxGxVFev2FG2Kqw7uHNAqVcE2HPHARdXCrCosZMKa0TG0mbLm3fXLh_e4ntsNcg9hnffEpPHNKVOEPzfmTlCKP2hlSIvUQLhTMybb-F; Domain=.amazon.com; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/; Secure; HttpOnly Set-Cookie: sess-at-main="iXWANpU3F/zV0pkuX+V+jjORKtxLfrHqg8EykI/3fPs="; Version=1; Domain=.amazon.com; Path=/; Secure; HttpOnly Set-Cookie: sst-main=Sst1|PQFHdUdY7OLERZydn_YdxKORCGs1qWc0tmUGPPUUFJmpAJI_Yh53qu-Nzqo63t9WUxGegIHjDdglyghZv-xmdWlQtu4Tem-iIUKkETTKkVARNYAhQes9S176PlcxM58a1qi6OowPPgtOIhljiil9hje6wSvAct4ch9VXHE5gdtEI9gVTK5WyHkZga7prg-EMU01w1vfIakm65_1VoEm8KXVw6O0Iq7E2LNaMOU1wrPekXpWTe2st33T7T3jQxpUXQAJPVhk2mwjYxLOeUjhT5fxWmw; Domain=.amazon.com; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/; Secure; HttpOnly Set-Cookie: lc-main=en_US; Domain=.amazon.com; Expires=Sun, 03-Jan-2038 07:48:57 GMT; Path=/