LWP, cookies, and adding to request string

[Chris]

Hello all,

I happened upon this group while searching around for
information on this topic. Here's the situation:
I've written a QA test tool for two sites that uses
LWP and Cookies in Perl. On the first site, I used
cookie_jar and everything worked just fine as far as
sessions went. On the second site, however, once a
user logs in, a unqique session variable (session=) is
being passed around in the URL wherever you go in the
members area.

Is there a way to deal with this using LWP and
cookie_jar? Another bit of information that may be
useful: the login form is submitted via Javascript -
I'm posting to the "resulting" members page via LWP,
but there could possibly be a middle layer page that
sets the session variable in the request string.

i.e. Login Page->Js function->(some page I need to
track down)->resulting members page

In any case, thoughts and suggestions would be greatly
appreciated.

Regards,
Chris

 

[Mina Naguib]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I happened upon this group while searching around for
information on this topic. Here's the situation:
I've written a QA test tool for two sites that uses
LWP and Cookies in Perl. On the first site, I used
cookie_jar and everything worked just fine as far as
sessions went. On the second site, however, once a
user logs in, a unqique session variable (session=) is
being passed around in the URL wherever you go in the
members area.

Is there a way to deal with this using LWP and
cookie_jar?

No, it the CGI on the other end expects the session to be in the GET request parameters, it has to
be there. Unless they're doing something very generic like $session = cookie("name") ||
form("name"); which is both silly, insecure and highly unlikely.

Another bit of information that may be
useful: the login form is submitted via Javascript -
I'm posting to the "resulting" members page via LWP,
but there could possibly be a middle layer page that
sets the session variable in the request string.

i.e. Login Page->Js function->(some page I need to
track down)->resulting members page

In any case, thoughts and suggestions would be greatly
appreciated.

When scripting stuff like that, one of the best tools I use (aside from a web browser) is a network
sniffing tool, especially one with a good layer 7 analyzer such as ethereal. It makes it very easy
to see *exactly* which variables are being submitted, the method used, any cookies, etc... Stuff
that a javscript function might hide from the browser's end user.

Best of luck.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/CeAleS99pGMif6wRAnknAJ49spMyC2QAKBJH1mXpJ099SmQALgCfZv8M
+OUkrNdwUQe2cdGIZE0UFQ4=
=41HS
-----END PGP SIGNATURE-----