Cookie - Http Request

I am giving a http request through perl script using LWP::UserAgent and HTTP::Request. I have to pass cookie information along with the request. Doesn anybody know how to do that? Is cookie_jar the option? can anybody share some example?
TIA

Find more posts tagged with

Comments

ISCBorisB

I am giving a http request through perl script using LWP::UserAgent and HTTP::Request. I have to pass cookie information along with the request. Doesn anybody know how to do that? Is cookie_jar the option? can anybody share some example?
TIA

HTTP::Cookies

interDev

HTTP::Cookies

Tried this as well but not able to get intended results.

Actually i am trying to do the teamsite authentication through scripting and passing below information in the cookie but not able to successfully authenticate and in the response content, i see Login screen (ideally i should see the actual page which i calling through http:request and not Login screen). I hacked the Auth and Jession information from browser session on the server.

IWAUTH => '23523e646f6d4956724971f5b96454c5e8b606799f180cca255c55bcaf7445eae862da9e70216ae71e07b375157385d1d91d809ee483e96db9e1ad899c6dfd15c',iw_domain => 'domainname',iw_which_ui => '',iw_user => 'username',JSESSIONID =>'REFEBFA3D0656A6F5E8A88E26331EA23'

Any thoughts if i need to try something else?

Rick Poulin

Passing the auth and session tokens won't work. You script will stop working a short time later, as soon as the session expires. What you'd want to do is actually spoof the login starting from the login page, passing in a real username and password. Yes it can be done, but there's probably better ways of achieving this. One is using a Java class and/or JSP, since those can be wrapped with IWOV's authentication filter. The other, is to have the PERL script read the cookies passed by your incoming user (assuming you're using a CGI screen), and pass those on to the inner HTTP request.

ISCBorisB

Tried this as well but not able to get intended results.

Actually i am trying to do the teamsite authentication through scripting and passing below information in the cookie but not able to successfully authenticate and in the response content, i see Login screen (ideally i should see the actual page which i calling through http:request and not Login screen). I hacked the Auth and Jession information from browser session on the server.

IWAUTH => '23523e646f6d4956724971f5b96454c5e8b606799f180cca255c55bcaf7445eae862da9e70216ae71e07b375157385d1d91d809ee483e96db9e1ad899c6dfd15c',iw_domain => 'domainname',iw_which_ui => '',iw_user => 'username',JSESSIONID =>'REFEBFA3D0656A6F5E8A88E26331EA23'

Any thoughts if i need to try something else?

TS Servers keeps various active Sessions and *probably* can identify the requesting Agent.

I'm not sure of course - but it is possible that your Session hijacking did not work because
you are providing Session ID from the different Agent. What is the actual problem you are trying
to solve?

interDev

Passing the auth and session tokens won't work. You script will stop working a short time later, as soon as the session expires. What you'd want to do is actually spoof the login starting from the login page, passing in a real username and password. Yes it can be done, but there's probably better ways of achieving this. One is using a Java class and/or JSP, since those can be wrapped with IWOV's authentication filter. The other, is to have the PERL script read the cookies passed by your incoming user (assuming you're using a CGI screen), and pass those on to the inner HTTP request.

Here is what i did. Using the CGI Screen, captured the cookie information and passed it on to my http request. But still not able to authenticate. Below is my code.
[html]
foreach $key (sort keys %{$cgi->{cookie}})
{
$cookie_jar = $cookie_jar.$key." => '".$cgi->{cookie}{$key}."' , ";
}
chop($cookie_jar);
chop($cookie_jar);
$ua = LWP::UserAgent->new;

$request = HTTP::Request->new(GET => 'http://servername/URL');
$ua->cookie_jar($cookie_jar);
$response = $ua->request($request);
print $response->content;
[/html]

ISCBorisB

Here is what i did. Using the CGI Screen, captured the cookie information and passed it on to my http request. But still not able to authenticate. Below is my code.
[html]
foreach $key (sort keys %{$cgi->{cookie}})
{
$cookie_jar = $cookie_jar.$key." => '".$cgi->{cookie}{$key}."' , ";
}
chop($cookie_jar);
chop($cookie_jar);
$ua = LWP::UserAgent->new;

$request = HTTP::Request->new(GET => 'http://servername/URL');
$ua->cookie_jar($cookie_jar);
$response = $ua->request($request);
print $response->content;
[/html]

That does not look right. After you execute your 'foreach' loop your $cookie_jar
will be a string, not an Object of HTTP::Cookies Class.

One way or another, you'll have to put cookies into cookie jar. For example, you
may use "set_cookie" method. Something like this:

[php]use HTTP::Cookies;
my $cookie_jar = HTTP::Cookies->new(
autosave => 0,
);
. . .
foreach my $key (sort keys %{$cgi->{cookie}}) {
$cookie_jar->set_cookie(
1, # version
$key, # key
$cgi->{cookie}{$key}, # value
'/', # path
'YourTSDomain.com', # domain
'80' # port
# Few more optional parameters if needed
);
};[/php]

interDev

That does not look right. After you execute your 'foreach' loop your $cookie_jar
will be a string, not an Object of HTTP::Cookies Class.

One way or another, you'll have to put cookies into cookie jar. For example, you
may use "set_cookie" method. Something like this:

[php]use HTTP::Cookies;
my $cookie_jar = HTTP::Cookies->new(
autosave => 0,
);
. . .
foreach my $key (sort keys %{$cgi->{cookie}}) {
$cookie_jar->set_cookie(
1, # version
$key, # key
$cgi->{cookie}{$key}, # value
'/', # path
'YourTSDomain.com', # domain
'80' # port
# Few more optional parameters if needed
);
};[/php]

Tried passing it exactly the same way. It executes but doesnt authenticate. Can it be the case that any additional information also needs to be passed on (e.g. form data, Env data etc.)?

Also is there a way for me to validate the what exactly was sent in request? that ways i want to ensure that cookie has actually been sent along with the request.

ISCBorisB

Also is there a way for me to validate the what exactly was sent in request?

Sure is. Send it to your own test cgi that does nothing but logs required info. Or send it to OTB show_env.cgi and analyze the output

interDev

Sure is. Send it to your own test cgi that does nothing but logs required info. Or send it to OTB show_env.cgi and analyze the output

For capturing the response, thats exactly what i am doing. Using Show_env.cgi to display the response.
But this is for capturing the response and not for capturing the sent request. Is there a way to check that?

ISCBorisB

For capturing the response, thats exactly what i am doing. Using Show_env.cgi to display the response.
But this is for capturing the response and not for capturing the sent request. Is there a way to check that?

Ok, I'll try one more time....

In your LWP code, temporarily modify URL to target show_env.cgi. Set up your cookies, Form,
whatever. Send a request. Note - direct show_env request will go through, you do not have to
authenticate! On the server side, WebServer + show_env will process the request, format the
response showing what was in the request (plus Env Variables) and send it back.

You can then analyze your $response->content and see what you originally sent. You can for example
save response as html File and open it with the Browser.

When satisfied, restore original URL and bingo! Now you know exactly what will be posted to that
Target when you send a request from your LWP code.

Kapish?

interDev

Ok, I'll try one more time....

In your LWP code, temporarily modify URL to target show_env.cgi. Set up your cookies, Form,
whatever. Send a request. Note - direct show_env request will go through, you do not have to
authenticate! On the server side, WebServer + show_env will process the request, format the
response showing what was in the request (plus Env Variables) and send it back.

You can then analyze your $response->content and see what you originally sent. You can for example
save response as html File and open it with the Browser.

When satisfied, restore original URL and bingo! Now you know exactly what will be posted to that
Target when you send a request from your LWP code.

Kapish?

Thanks for the help !

I have posted my script below to gather the output. . whenever i run this script from command line, the response doesnt show the cookie information although I have setup a cookie with some test information in the code below. It shows the ENV variables only. Any thoughts?

In fact i actually tried accessing this script through http request as well as well but it is again returning only ENV variables without any cookie information.
[php]
#!E:/Interwoven/TeamSite/iw-perl/bin/iwperl

use LWP::UserAgent;

require HTTP::Request;
require HTTP::Headers;
use HTTP::Cookies;

$ua = LWP::UserAgent->new;

$request = HTTP::Request->new(GET => 'http://servername/iw-cc/iw-bin/show_env.cgi');
my $cookie_jar = HTTP::Cookies->new(
autosave => 0,
);
$cookie_jar->set_cookie(
1, # version
test, # key
testvalue, # value
'/', # path
'servername', # domain
'80' # port
# Few more optional parameters if needed
);
$ua->cookie_jar($cookie_jar);

$response = $ua->request($request);

# Check the outcome of the response
if ($response->is_success) {
print $response->content;
print "Success";
}
else {
print "Fail", "\n";
}

[/php]

ISCBorisB

You'd have to investigate. There are few things in the code that I would've changed if I were you, but still...
I run your code as is, changing only TS Domain. The result is enclosed, looks fine to me.

Are you sure that you've provided the same Domain in the request's Get and set_cookie Parameter?

interDev

ok, i think i found out the issue. I am accessing the server by giving the servername instead of domain name in GET and set_cookie parameters (because this server doesnt have a domain name as of now).
When i setup this script on a different teamsite old server(with domain name), it works. So i will get the domain name configured for the new server now and i will post the results after that.
Thanks a lot for your help !
PS: I know there are many additional changes required in this script.

ISCBorisB

i think i found out the issue...

Doubt it. Something is fishy here...

The process is local. As far as Cookies are concerned, Agent does not use Server and does not care whether
fully qualified host name is really a Domain, Server name, if it has a DNS Entry or anything else. For all
Agent cares it's a String. If Cookie's Domain matches Request's URL, the Cookie goes period.

To elaborate a little, Cookies are set by the Agent and sent through Cookie HTTP header. To do
that, complete Cookie Jar is scanned to get cookies that "match" Request's URL. Basically, URL's host
name should match exactly and both URL resources (right-to-left) and URL Path (left-to-right) partially
for the cookie to be considered a match. The better match goes. If there are several equally good matches,
all of them go.

interDev

Doubt it. Something is fishy here...

The process is local. As far as Cookies are concerned, Agent does not use Server and does not care whether
fully qualified host name is really a Domain, Server name, if it has a DNS Entry or anything else. For all
Agent cares it's a String. If Cookie's Domain matches Request's URL, the Cookie goes period.

To elaborate a little, Cookies are set by the Agent and sent through Cookie HTTP header. To do
that, complete Cookie Jar is scanned to get cookies that "match" Request's URL. Basically, URL's host
name should match exactly and both URL resources (right-to-left) and URL Path (left-to-right) partially
for the cookie to be considered a match. The better match goes. If there are several equally good matches,
all of them go.

A big time thanks to you ! I am able to login to Teamsite through script now and it resolved a big technical issue for me.

Above issue is non issue for me as i was able to access cookies through the domain name once it was configured. Why it was not working through server name, i dont know and i wouldnt even be bothered as i have the alternate solution working (using domain name).

Again thanks for the help !

ISCBorisB

A big time thanks to you ! I am able to login to Teamsite through script now and it resolved a big technical issue for me.

Above issue is non issue for me as i was able to access cookies through the domain name once it was configured. Why it was not working through server name, i dont know and i wouldnt even be bothered as i have the alternate solution working (using domain name).

Again thanks for the help !

No problem. I still think that whether it works or not, Session hijacking is not such a terrific idea to gain access to IW Services.
However, without knowing much more of why/when/how/where_from you are accessing TS I can not propose anything better.

marcussteiner

Hi,

I have exactly the same issue I need to call a URL which is in iw-cc.

Unfortunately I'm not clear what you have modified since your last post to get it running. I have been able to set the cookie using your snipplet but I'm not clear how I can call my actual script now.

M