dixieflatline
06-03-2005, 01:20 AM
Hi,
I have an issue where I am attempting to authenticate a login request in a spawned browser window and then move on to another page in the same window. Unfortunately I have 2 issues. The first is that my form submit is showing the username and password in the url. The second is that I want to login and change the page without the user noticing.
I am using stand alone player wrapped in an mdm application shell (3rd party extended actionscript application), which is a widget which sits on your desktop. This spawns a new browser after you type your username and password and click on a search term.
The described issues also exist in the Test Movie and stand alone player so we can rule out the 3rd party app for now.
I am using the LoadVars.send() with POST option; through header method (Effectively a FORM SUBMIT which I have tested successfully in a local html file with form action).
It seems the cross domain policy applies to a test movie or stand alone player. In turn this means the POST method converts to a GET method (which shows URL CGI variables).
I would like to know if there is a way round this so I can hide the username and password from the url. The only way I can get this working is to capture the GET variables on the server; which leaves the username and password in the url bar.
I have looked at the post here, and it seems to confirm my findings.
http://livedocs.macromedia.com/flash/mx2004/main_7_2/wwhelp/wwhimpl/common/html/wwhelp.htm?context=Flash_MX_2004&file=00001418.html
Examine the Macromedia responses about POST.
If that’s not correctable, I will have to continue to let the server service the GET request and move onto the second issue.
From the same movie; if you first authenticate with the LoadVars.send() with variables, and then do another LoadVars.send() or getURL(); pointing to a secure point within the target site; it targets the spawned window which is now authenticated with a session variable.
That’s great but I need to log into the site and then redirect myself to a new page based on completion of the login request, or login without the user noticing and set a session variable which I can spawn a new authenticated window from.
I would like to authenticate silently if possible so only the second (search) page I want is visible when the window spawns.
If I use the LoadVars.sendAndLoad(), authenticate to the site and trace the raw output of the MovieClip.onData, you can see that I got authenticated; so I guess the cookie is set somewhere the player which it then has access to. Is it then possible to spawn a new window with the same authenticated state in the same way that LoadVars.send() run concurrently uses the same window?
If not can I cleverly use LoadVars.send() to first to log on, and then wait or detect my authenticated state and then fire the second request at the same new window?
If you have come across this before or if you need me to explain parts in more detail, please let me know.
I quickly thrown 3 buttons together to show you simply the tests I have made.
Button 1 opens a window which is logged in and the session variable is set.
Button 2 targets a new protected page but as it’s using the same window it’s authorised.
Button 3 shows the raw output of the HTML response. Quite useful really if you are going to throw regex at it and chop it up.
Many thanks,
C.
Button 1
on (press) {
var URL:String;
URL = "http://www.mylogin.com/login";
lvButton = new LoadVars();
lvButton.passwd="password";
lvButton.userName="username";
trace(lvButton);
lvButton.send(URL , "_blank", "POST");
}
Button 2
on (press) {
var URL:String;
URL ="http://www.mylogin.com/apagerequiringauth";
getURL(URL, "_blank");
/* or the LoadVars() send again */
/*
var URL:String;
URL = "http://www.mylogin.com/apagerequiringauth";
lvButton = new LoadVars();
lvButton.search="something";
trace(lvButton);
lvButton.send(URL , "_blank", "POST");
trace(lvButtonIn);
*/
}
Button 3
on(press) {
myVars = new LoadVars();
myVars2 = new LoadVars();
myVars.userName = "username";
myVars.passwd = "password";
myVars.sendAndLoad("http://www.mylogin.com/login", myVars, "post");
myVars.onData = function(raw) {
var tmpText = "";
if (raw.indexOf("\r\n") > -1) {
tmpText = raw.split("\r\n").join("\n");
} else tmpText = raw;
trace(tmpText);
}
}
I have an issue where I am attempting to authenticate a login request in a spawned browser window and then move on to another page in the same window. Unfortunately I have 2 issues. The first is that my form submit is showing the username and password in the url. The second is that I want to login and change the page without the user noticing.
I am using stand alone player wrapped in an mdm application shell (3rd party extended actionscript application), which is a widget which sits on your desktop. This spawns a new browser after you type your username and password and click on a search term.
The described issues also exist in the Test Movie and stand alone player so we can rule out the 3rd party app for now.
I am using the LoadVars.send() with POST option; through header method (Effectively a FORM SUBMIT which I have tested successfully in a local html file with form action).
It seems the cross domain policy applies to a test movie or stand alone player. In turn this means the POST method converts to a GET method (which shows URL CGI variables).
I would like to know if there is a way round this so I can hide the username and password from the url. The only way I can get this working is to capture the GET variables on the server; which leaves the username and password in the url bar.
I have looked at the post here, and it seems to confirm my findings.
http://livedocs.macromedia.com/flash/mx2004/main_7_2/wwhelp/wwhimpl/common/html/wwhelp.htm?context=Flash_MX_2004&file=00001418.html
Examine the Macromedia responses about POST.
If that’s not correctable, I will have to continue to let the server service the GET request and move onto the second issue.
From the same movie; if you first authenticate with the LoadVars.send() with variables, and then do another LoadVars.send() or getURL(); pointing to a secure point within the target site; it targets the spawned window which is now authenticated with a session variable.
That’s great but I need to log into the site and then redirect myself to a new page based on completion of the login request, or login without the user noticing and set a session variable which I can spawn a new authenticated window from.
I would like to authenticate silently if possible so only the second (search) page I want is visible when the window spawns.
If I use the LoadVars.sendAndLoad(), authenticate to the site and trace the raw output of the MovieClip.onData, you can see that I got authenticated; so I guess the cookie is set somewhere the player which it then has access to. Is it then possible to spawn a new window with the same authenticated state in the same way that LoadVars.send() run concurrently uses the same window?
If not can I cleverly use LoadVars.send() to first to log on, and then wait or detect my authenticated state and then fire the second request at the same new window?
If you have come across this before or if you need me to explain parts in more detail, please let me know.
I quickly thrown 3 buttons together to show you simply the tests I have made.
Button 1 opens a window which is logged in and the session variable is set.
Button 2 targets a new protected page but as it’s using the same window it’s authorised.
Button 3 shows the raw output of the HTML response. Quite useful really if you are going to throw regex at it and chop it up.
Many thanks,
C.
Button 1
on (press) {
var URL:String;
URL = "http://www.mylogin.com/login";
lvButton = new LoadVars();
lvButton.passwd="password";
lvButton.userName="username";
trace(lvButton);
lvButton.send(URL , "_blank", "POST");
}
Button 2
on (press) {
var URL:String;
URL ="http://www.mylogin.com/apagerequiringauth";
getURL(URL, "_blank");
/* or the LoadVars() send again */
/*
var URL:String;
URL = "http://www.mylogin.com/apagerequiringauth";
lvButton = new LoadVars();
lvButton.search="something";
trace(lvButton);
lvButton.send(URL , "_blank", "POST");
trace(lvButtonIn);
*/
}
Button 3
on(press) {
myVars = new LoadVars();
myVars2 = new LoadVars();
myVars.userName = "username";
myVars.passwd = "password";
myVars.sendAndLoad("http://www.mylogin.com/login", myVars, "post");
myVars.onData = function(raw) {
var tmpText = "";
if (raw.indexOf("\r\n") > -1) {
tmpText = raw.split("\r\n").join("\n");
} else tmpText = raw;
trace(tmpText);
}
}