Sorry to bother you again but I’m having some troubles with a login webpage. I need to pass a user/password combo but whoever did the page went overkill with security, implementing srp. Alas i’m unable to just send a get/post like usual but i need to execute the srp authentication routine from the webpage. I can download all the files required(index page and two js with the service code on it) with no major problems with a httpsocket but how can i progress from there? I can paste the pages if required.
To answer your question, you would need at least a JavaScript engine to run the scripts, and probably a DOM engine of some kind to make that work. At that point you might as well use an HTMLViewer.
I tried opening the page with htmlviewer but I’m unable to extract the cookie I need to run my data flow. Is there any code sample (cookie extraction from htmlviewer) I can use to jumpstart developing?
Ps: I can understand Srp on a serious site, but I think that using it on the user facing side of a home router is a bit overspecced
I have just created a htmlviewer and deployed your code snippet onto a documentcomplete event for the htmlviewer object. I created a titlechanged event to execute a msgbox with the page title. I am getting the title of the document loaded onto the htmlviewer but i’m not seeing the cookie. Should I use a different event to check for document.title modification?
I think i may have found the culprit, the cookie is a HTTPOnly cookie so javascript cannot touch it The lack of integrated cookie management/extraction from htmlviewer is kinda limiting…
The cookie is sent to you, whether using a browser, the HTMLViewer class, or a HTTPSocket, and you need to grab it out of the HTTP headers… You need to send it back with every request… The HTTPOnly will only mean something to a web browser that supports it, in other words, for your HTMLViewer or HTTPSocket, it is meaningless…
[quote]If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.
If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script.[/quote]
There are open source versions of SRP that you could probably port over to Xojo, or you could take a look to see how to use OpenSSL (apparently SRP is available since version 1.0.1 of OpenSSL), through the shell class…
@shao sean Let’s say i want to track the httpheaders of a htmlviewer(which is set to use webkit). What code should i use to read to get the http headers of the current loaded page? Is there any code sample i can explore upon?
Through the HTMLViewer, this would require declares, and each platform is different… You would probably be better off using a HTTPSocket and doing the SRP through OpenSSL (or looking at porting the SRP code to Xojo)…
@shao sean Porting the srp code is way above my paygrade I’ll keep that in mind in case i wanted to explore the issue again. Hopefully someone more skilled than me will have solved the problem by then
The lack of integrated cookie management/extraction from htmlviewer is kinda limiting…