How to auto log in to web site

voipnow

Well-Known Member
Joined
Apr 17, 2006
Messages
272
I know there is a method to auto login to a web site by adding the user name and password to the end of the URL. Can any one teach me how.

eg www.websitetologinto.com *** username ??? password.

Im sure it is easy when you know how.

I have to regularly log in to the same site for different users. the I can create a shortcut or favourite for each log in.

Any help appreciated.
 

voipnow

Well-Known Member
Joined
Apr 17, 2006
Messages
272
thanks alf101
does this method work for firefox and IE ?

if the site im intrested in is

://196.22.136.28/WholeSale/GatekeeperUserLogin.aspx
do i use
.../WholeSale/GateKeepUsererLogin.aspx/login?Name=VOIPNOW&Password=mystery

thanks
 
Last edited:

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.
 

Raithlin

Executive Member
Joined
Jan 4, 2005
Messages
5,049
The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.
Re: security - yeah, that's precisely what I saw when I read the post on my RSS feed. BIG SECURITY HOLE.
 

sn3rd

Expert Member
Joined
Jan 18, 2008
Messages
4,305
The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.

Re: security - yeah, that's precisely what I saw when I read the post on my RSS feed. BIG SECURITY HOLE.

+1 000 000
 

guest2013-1

guest
Joined
Aug 22, 2003
Messages
19,800
Erm, if a website allows username and passwords to be sent through the querystring and not a post method then there's something REALLY wrong with their security and it should be looked at / reported to the website.

Use FireFox to remember your passwords, alternatively, if you're the programmer, why not just add a "cookie" to remember if a user logged in and automatically log them in next time (provided some security check is in place in case the user was dumb enough to login from a public PC)
 

newklear

Expert Member
Joined
Apr 15, 2008
Messages
1,458
*dequadin's example is the more secure and would say Cardspace with encrypted/decrypted Token use is the best option.

Create your own html login template:
Copy and Paste code into notepad, save as whatever.html
Double click to use or Bookmark.

Code:
<head>
</head>
<body>
<FORM action=http://www.whateverwebsite.com/login.php?method=postname=login> //Edit Website address
<INPUT class=login_input type=hidden name=username value="MYUSERNAME"> //Edit and verify field name in source
<INPUT class=login_input type=hidden name=usermail value="MYEMAIL@ADDY.COM"> //Edit and verify field name in source
<INPUT class=login_input type=hidden name=password value="MYPASSWORD"> //Edit and verify field name in source
<INPUT class=login_input type=submit value=Login> //Verify Button name in Source
</form>
</body>
<body onload="document.login.submit();"> //Remove this line if you want to manually login by clicking the 'Login' Button.

Just need to check the source of the site you wish to use the template on for the input names used and method.

At the end of the day I still feel much safer using Opera's Wand, since:
1. You can set a master password for all Wand logins
2. You have to know the keystroke (Ctrl-Enter) to actually use the wand.
Also some may argue it isn't safe to store passwords on your PC.
 
Last edited:

Turbo_Aspiration

Expert Member
Joined
Aug 11, 2005
Messages
1,435
Erm, if a website allows username and passwords to be sent through the querystring and not a post method then there's something REALLY wrong with their security and it should be looked at / reported to the website.

Use FireFox to remember your passwords, alternatively, if you're the programmer, why not just add a "cookie" to remember if a user logged in and automatically log them in next time (provided some security check is in place in case the user was dumb enough to login from a public PC)

Re: security - yeah, that's precisely what I saw when I read the post on my RSS feed. BIG SECURITY HOLE.

The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.

For interest's sake.. besides a password being displayed in plain view on the user's screen (it's a big one but let's ignore that for now), what would be insecure about this?

EDIT: I just thought of bookmarks and history, let's turn those off.
 
Last edited:

voipnow

Well-Known Member
Joined
Apr 17, 2006
Messages
272
The reason that I am investigating this method, is I log into a site with various different user names.
Firefox autofills in the one that I used first. For all the others I must type the name and password. This is the same if I open more than one tab.

Is there perhaps an ad on for firefox that can remember more than one password and ask whick one I want to use.
Thanks
 

guest2013-1

guest
Joined
Aug 22, 2003
Messages
19,800
For interest's sake.. besides a password being displayed in plain view on the user's screen (it's a big one but let's ignore that for now), what would be insecure about this?

EDIT: I just thought of bookmarks and history, let's turn those off.

Well, you can't use any special characters in your password for example. About 2 years back I found that my normal password I use (which contained an ampersand... which if you know anything would break the query string) couldn't be used with WA dsl checking facility as they pass that and my normal password over with query strings from my account menu...

Other than that and the plain view of your password, it would be fairly easy for a hacker to sniff your connection and get your password and username. He/she can also just hack the server itself and analyze the server logs for each hit and farm passwords from there like nobodies business.

Even if you secure the connection between you and the server with SSL (so there's no real sniffing going on), the server logs will still be able to tell them everything they need to know.

The reason that I am investigating this method, is I log into a site with various different user names.
Firefox autofills in the one that I used first. For all the others I must type the name and password. This is the same if I open more than one tab.

Is there perhaps an ad on for firefox that can remember more than one password and ask whick one I want to use.
Thanks

Then your firefox setup is a bit wonky. I have several twitter accounts for example and it doesn't fill in the username and password I first use automatically (because there is more than one). I usually just single click the username field and get a drop down of all the usernames I've used on the site before. Once I select it, the correct password gets autofilled and I just click "Sign In"

Some sites don't work as well though, especially if they have fancy ajax stuff on there or if the default values used for username/password etc deviates wildly from the norm (or if SSL is used)
 

guest2013-1

guest
Joined
Aug 22, 2003
Messages
19,800
Okay looks like the username : password @ notation used to be supported for http, but isn't RFC compliant.

Managed to rustle this up:


That's from msdn specifically talking about IE, here

Maybe that answers your question as to why it isn't working.

the username:password@ works only if you have Windows Integrated Authentication turned on the web server (well, any server that pops up a username/password box instead of using a form post or something similar like a web page)
 

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
the username:password@ works only if you have Windows Integrated Authentication turned on the web server (well, any server that pops up a username/password box instead of using a form post or something similar like a web page)

Hmmm... interesting point. Might be useful for something I need to do which uses Windows Integrated Authentication. Thanks!
 

guest2013-1

guest
Joined
Aug 22, 2003
Messages
19,800
Smacks FarligOpptreden with the standards stick, I just posted that this method of http authentication is not RFC complient.

Yup, there are other methods to use to authenticate without having that there...

The issue is here, the OP is trying to get into a site he didn't program (or manage) himself. If you have the code and you're the capt' of it, rather write something to do it than hack it in the QS
 

FarligOpptreden

Executive Member
Joined
Mar 5, 2007
Messages
5,396
Smacks FarligOpptreden with the standards stick, I just posted that this method of http authentication is not RFC complient.

Yes yes, I know. Just a little side-project that I need a quick solution to. Don't worry, I'll never release anything like this into a production environment... ;)
 

Turbo_Aspiration

Expert Member
Joined
Aug 11, 2005
Messages
1,435
Well, you can't use any special characters in your password for example. About 2 years back I found that my normal password I use (which contained an ampersand... which if you know anything would break the query string) couldn't be used with WA dsl checking facility as they pass that and my normal password over with query strings from my account menu...

Other than that and the plain view of your password, it would be fairly easy for a hacker to sniff your connection and get your password and username. He/she can also just hack the server itself and analyze the server logs for each hit and farm passwords from there like nobodies business.

Even if you secure the connection between you and the server with SSL (so there's no real sniffing going on), the server logs will still be able to tell them everything they need to know.



Then your firefox setup is a bit wonky. I have several twitter accounts for example and it doesn't fill in the username and password I first use automatically (because there is more than one). I usually just single click the username field and get a drop down of all the usernames I've used on the site before. Once I select it, the correct password gets autofilled and I just click "Sign In"

Some sites don't work as well though, especially if they have fancy ajax stuff on there or if the default values used for username/password etc deviates wildly from the norm (or if SSL is used)

Ok, so we have
  • Bookmarks and History
  • Limits the characters used for password
  • Password in clear view (visually on screen)
  • Password stored in server logs

I'm sold
 

Raithlin

Executive Member
Joined
Jan 4, 2005
Messages
5,049
There's more. A semi-decent hacker could pick up your URL as you send it (or even after, in proxies around the world, or in your history as previously pointed out) - thank you very much, Mr. I'll have a go at your expense, yessiree... :erm:
 

Turbo_Aspiration

Expert Member
Joined
Aug 11, 2005
Messages
1,435
There's more. A semi-decent hacker could pick up your URL as you send it (or even after, in proxies around the world, or in your history as previously pointed out) - thank you very much, Mr. I'll have a go at your expense, yessiree... :erm:

I specifically left that one out as SSL obscures the URL beyond the host. A normal form post would suffer the same fate.
 

voipnow

Well-Known Member
Joined
Apr 17, 2006
Messages
272
I this specific instance I am not overly concerned about the security. The harm that a hacker could do to me by gaining access is very limited.

thanks for all the posts. I am going to check why firefox is not autofilling in passwords.
 
Top