cookie presentation 2

[simanek]

Hello all,

I want to fake out a webserver into thinking that a person has actually logged in and has gotten a cookie for the session. I have a valid password and username and I know what the name of the cookie needs to be. What I'm planning on doing is using a perl script to submit an http 'POST' to the page where the form submits to and get the session cookie from it. I can do this just fine. What I don't know how to do is present the webserver with my session cookie when I access a different page. Is it something in the http GET command that I need to write that presents it with my cookie or what? I'm at a loss. Actually, does this question even make sense to anyone? Any help would be greatly appreciated. Btw, system specs are as follows:
Server: solaris7, apache 1.3.20, perl cgi scripts
client: win2k, ie5.5

Any help, suggestions, or url's would be greatly appreciated.
Mike
~~~~
simanek@uiuc.edu
"It's a Swingline!"
~~~~

 

[stillflame]

have a look at the LWP modules. "If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito."

 

[goBoating]

Why, exactly, do you want to subvert someone's security measures? I'm sure it is possible, but I am a little paranoid about helping engineer an unauthorized approach to someone's server. Can you explain upon why you are trying to do this trick?


keep the rudder amid ship and beware the odd typo

 

[simanek]

I'll gladly explain. There really is no tricking going on here. There is a report that is run on a ClearQuest server (developer bug tracking system) that in order to get to, you need to log into the system. What I want to do is simply automate the login process and grab the report for better formatting by a perl script that I'm writing. So I'm not trying to hack around the security measures, I'm just trying to make everything work in one click of a button. Mike
~~~~
simanek@uiuc.edu
"It's a Swingline!"
~~~~

 

[tsdragon]

You could try checking out

http://www.w3.org

for a complete description of the cookie header. It's pretty deep reading, but it should tell you what you need to know. Tracy Dryden
tracy@bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[htruong]

This is a suggestion about Client cookie!

Cut this code and save as your_file.js (you can see this code in JavaScript book)
---------------------------------------------------------
<script language=&quot;JavaScript&quot;>
<!--begin script
function getCookieVal (offset) {
var endstr = document.cookie.indexOf(&quot;;&quot;,offset);
if (endstr ==-1)
endstr = document.cookie.length;
return unescape(document.cookie.substring(offset, endstr));
}
//=====================================================
function GetCookie (name) {
var arg = name + &quot;=&quot;;
var alen= arg.length;
var clen= document.cookie.length;
var i=0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i,j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(&quot; &quot;,i) +1;
if (i ==0) break;
}//end while--------------------
return null;
}//end function------------------
//====================================================
function SetCookie (name,value,expires,path,domain,secure) {
document.cookie = name + &quot;=&quot; + escape(value) +
( (expires) ? &quot;; expires=&quot; + expires.toGMTString() : &quot;&quot +
( (path) ? &quot;; path=&quot; + path : &quot;&quot +
( (domain) ? &quot;; domain=&quot; + domain : &quot;&quot +
( (secure) ? &quot;; secure&quot; : &quot;&quot;
} //end function------------------
//====================================================
function DeleteCookie (name,path,domain) {
if (GetCookie(name)) {
document.cookie = name + &quot;=&quot; +
( (path) ? &quot;; path=&quot; + pathe : &quot;&quot +
( (domain) ? &quot;; domain=&quot; + domain : &quot;&quot +
&quot;; expires=Thu, 01-Jan-70 00:00:01 GMT&quot;;
}
} //end function------------------
//end script -->
</script>
--------------------------------------------------------

In any Perl file you want to check your cookie first have to add these code in the generated html file

<script language=&quot;JavaScript&quot; src=&quot;your_file.js&quot;>
var ExDay= new Date(&quot;December 1, 2005 24:00:00&quot;
if (GetCookie(&quot;your_cookie&quot) {
//Doing your job here for checked cookie here
} else {
SetCookie (&quot;your_cookie&quot;,&quot;your_cookie_value&quot;,ExDay,&quot;/&quot;,null,null)
}
</script>

Enjoy!
htruong
PS. Please note that *.js file have to store at &quot;document web directory&quot; not in &quot;cgi directory&quot;.