How to auto log in to web site

[voipnow]

I know there is a method to auto login to a web site by adding the user name and password to the end of the URL. Can any one teach me how.

eg www.websitetologinto.com *** username ??? password.

Im sure it is easy when you know how.

I have to regularly log in to the same site for different users. the I can create a shortcut or favourite for each log in.

Any help appreciated.

 

[Ou grote]

www.mybroadband.co.za/client/login?Name=VOIPNOW&Password=dunno

 

[voipnow]

thanks alf101
does this method work for firefox and IE ?

if the site im intrested in is

://196.22.136.28/WholeSale/GatekeeperUserLogin.aspx
do i use
.../WholeSale/GateKeepUsererLogin.aspx/login?Name=VOIPNOW&Password=mystery

thanks

 

[FarligOpptreden]

The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.

 

[Raithlin]

The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.

Re: security - yeah, that's precisely what I saw when I read the post on my RSS feed. BIG SECURITY HOLE.

 

[sn3rd]

The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.

Re: security - yeah, that's precisely what I saw when I read the post on my RSS feed. BIG SECURITY HOLE.

+1 000 000

 

[guest2013-1]

Erm, if a website allows username and passwords to be sent through the querystring and not a post method then there's something REALLY wrong with their security and it should be looked at / reported to the website.

Use FireFox to remember your passwords, alternatively, if you're the programmer, why not just add a "cookie" to remember if a user logged in and automatically log them in next time (provided some security check is in place in case the user was dumb enough to login from a public PC)

 

[newklear]

*dequadin's example is the more secure and would say Cardspace with encrypted/decrypted Token use is the best option.

Create your own html login template:
Copy and Paste code into notepad, save as whatever.html
Double click to use or Bookmark.

<head>
</head>
<body>
<FORM action=http://www.whateverwebsite.com/login.php?method=postname=login> //Edit Website address
<INPUT class=login_input type=hidden name=username value="MYUSERNAME"> //Edit and verify field name in source
<INPUT class=login_input type=hidden name=usermail value="MYEMAIL@ADDY.COM"> //Edit and verify field name in source
<INPUT class=login_input type=hidden name=password value="MYPASSWORD"> //Edit and verify field name in source
<INPUT class=login_input type=submit value=Login> //Verify Button name in Source
</form>
</body>
<body onload="document.login.submit();"> //Remove this line if you want to manually login by clicking the 'Login' Button.

Just need to check the source of the site you wish to use the template on for the input names used and method.

At the end of the day I still feel much safer using Opera's Wand, since:
1. You can set a master password for all Wand logins
2. You have to know the keystroke (Ctrl-Enter) to actually use the wand.
Also some may argue it isn't safe to store passwords on your PC.

 

[Turbo_Aspiration]

Erm, if a website allows username and passwords to be sent through the querystring and not a post method then there's something REALLY wrong with their security and it should be looked at / reported to the website.

Use FireFox to remember your passwords, alternatively, if you're the programmer, why not just add a "cookie" to remember if a user logged in and automatically log them in next time (provided some security check is in place in case the user was dumb enough to login from a public PC)

Re: security - yeah, that's precisely what I saw when I read the post on my RSS feed. BIG SECURITY HOLE.

The ? is used to specify parameters in a query-string for the URL. If the URL accepts parameters for username and password and actually does anything with it, sure it would work then. Otherwise the parameters will just be ignored.

Also, it is a huge security risk to pass credentials through a query-string. VERY huge.

For interest's sake.. besides a password being displayed in plain view on the user's screen (it's a big one but let's ignore that for now), what would be insecure about this?

EDIT: I just thought of bookmarks and history, let's turn those off.

 

[voipnow]

The reason that I am investigating this method, is I log into a site with various different user names.
Firefox autofills in the one that I used first. For all the others I must type the name and password. This is the same if I open more than one tab.

Is there perhaps an ad on for firefox that can remember more than one password and ask whick one I want to use.
Thanks

 

[guest2013-1]

For interest's sake.. besides a password being displayed in plain view on the user's screen (it's a big one but let's ignore that for now), what would be insecure about this?

EDIT: I just thought of bookmarks and history, let's turn those off.

Well, you can't use any special characters in your password for example. About 2 years back I found that my normal password I use (which contained an ampersand... which if you know anything would break the query string) couldn't be used with WA dsl checking facility as they pass that and my normal password over with query strings from my account menu...

Other than that and the plain view of your password, it would be fairly easy for a hacker to sniff your connection and get your password and username. He/she can also just hack the server itself and analyze the server logs for each hit and farm passwords from there like nobodies business.

Even if you secure the connection between you and the server with SSL (so there's no real sniffing going on), the server logs will still be able to tell them everything they need to know.

The reason that I am investigating this method, is I log into a site with various different user names.
Firefox autofills in the one that I used first. For all the others I must type the name and password. This is the same if I open more than one tab.

Is there perhaps an ad on for firefox that can remember more than one password and ask whick one I want to use.
Thanks

Then your firefox setup is a bit wonky. I have several twitter accounts for example and it doesn't fill in the username and password I first use automatically (because there is more than one). I usually just single click the username field and get a drop down of all the usernames I've used on the site before. Once I select it, the correct password gets autofilled and I just click "Sign In"

Some sites don't work as well though, especially if they have fancy ajax stuff on there or if the default values used for username/password etc deviates wildly from the norm (or if SSL is used)

 

[Dude111]

I always thought the method was

http://username:password@www.whatever.com

Whenever i try it though it doesnt work (But it wouldnt be very secure i dont think)

 

[guest2013-1]

Okay looks like the username : password @ notation used to be supported for http, but isn't RFC compliant.

Managed to rustle this up:


That's from msdn specifically talking about IE, here

Maybe that answers your question as to why it isn't working.

the usernameassword@ works only if you have Windows Integrated Authentication turned on the web server (well, any server that pops up a username/password box instead of using a form post or something similar like a web page)

 

[FarligOpptreden]

the usernameassword@ works only if you have Windows Integrated Authentication turned on the web server (well, any server that pops up a username/password box instead of using a form post or something similar like a web page)

Hmmm... interesting point. Might be useful for something I need to do which uses Windows Integrated Authentication. Thanks!

 

[guest2013-1]

Smacks FarligOpptreden with the standards stick, I just posted that this method of http authentication is not RFC complient.

Yup, there are other methods to use to authenticate without having that there...

The issue is here, the OP is trying to get into a site he didn't program (or manage) himself. If you have the code and you're the capt' of it, rather write something to do it than hack it in the QS

 

[FarligOpptreden]

Smacks FarligOpptreden with the standards stick, I just posted that this method of http authentication is not RFC complient.

Yes yes, I know. Just a little side-project that I need a quick solution to. Don't worry, I'll never release anything like this into a production environment...

 

[Turbo_Aspiration]

Well, you can't use any special characters in your password for example. About 2 years back I found that my normal password I use (which contained an ampersand... which if you know anything would break the query string) couldn't be used with WA dsl checking facility as they pass that and my normal password over with query strings from my account menu...

Other than that and the plain view of your password, it would be fairly easy for a hacker to sniff your connection and get your password and username. He/she can also just hack the server itself and analyze the server logs for each hit and farm passwords from there like nobodies business.

Even if you secure the connection between you and the server with SSL (so there's no real sniffing going on), the server logs will still be able to tell them everything they need to know.



Then your firefox setup is a bit wonky. I have several twitter accounts for example and it doesn't fill in the username and password I first use automatically (because there is more than one). I usually just single click the username field and get a drop down of all the usernames I've used on the site before. Once I select it, the correct password gets autofilled and I just click "Sign In"

Some sites don't work as well though, especially if they have fancy ajax stuff on there or if the default values used for username/password etc deviates wildly from the norm (or if SSL is used)

Ok, so we have

• Bookmarks and History
• Limits the characters used for password
• Password in clear view (visually on screen)
• Password stored in server logs

I'm sold

 

[Raithlin]

There's more. A semi-decent hacker could pick up your URL as you send it (or even after, in proxies around the world, or in your history as previously pointed out) - thank you very much, Mr. I'll have a go at your expense, yessiree... :erm:

 

[Turbo_Aspiration]

There's more. A semi-decent hacker could pick up your URL as you send it (or even after, in proxies around the world, or in your history as previously pointed out) - thank you very much, Mr. I'll have a go at your expense, yessiree... :erm:

I specifically left that one out as SSL obscures the URL beyond the host. A normal form post would suffer the same fate.

 

[voipnow]

I this specific instance I am not overly concerned about the security. The harm that a hacker could do to me by gaining access is very limited.

thanks for all the posts. I am going to check why firefox is not autofilling in passwords.