I want to login into a website. I need to identify the url to login. The view source shows post method as follows.
<form id="signIn" onsubmit="return false;" action="/f1/logon" method="post">
I see that there is no javascript that validates the url.
When i use the below url directly on a browser,
https://www.abc.com/f1/logon
I get a blank page. When I use below,
https://www.abc.com/logon
I dont see the repsonse of the loggedin page. It shows the response of the signin page though. How do i identify the correct url to autologin. downloaded soem toold like fiddler but no help. any inputs?
Invoking a URL in a browser sends a GET request. This form, however, is configured to send a POST request (look at the method attribute), so it makes sense that you are not seeing anything in your browser.
It's strange that the onsubmit attribute returns false. This prevents the form from being submitted at all. Take a look at the "login" button. There may be some Javascript code there which does the form submission.
Fidller is a good tool, you can start capture job and then you perform a login. Find which request contain your login and password.
Related
I have a simple login page (login.jsp) and I'm checking it against a database to verify user credentials. This is just for testing, not for making an actual site.
In the verification servlet where the values are checked against the DB values, if there is not a match I do a
response.getRedirect("login.jsp?loginfailed=true");
This, obviously, sends me to
localhost:8080/blahblahblahblah/login.jsp?loginfailed=true
which is what I want. But then, in the jsp file, I do
<%
if(request.getParameter("loginfailed") == "true")
{
out.println("login failed");
}
%>
I'm well aware that I should replace this with JSTL, it's just easier for me to use scriptlets at first for control flow and I change them out once the logic works.
I just don't know why it is not working right now. What am I doing wrong?
Basically when credentials DO match DB values, it redirects to a success page. But if they don't, it redirects back to login.jsp with a URL param, and I want to print some text that says the login failed so the user doesn't have to look at the url to see that.
your redirection should be in this way.
response.sendRedirect(request.getContextPath()+"/login.jsp?loginfailed=true");
After submitting a form, calling an action and redirecting to show the jsp, the final url of the browser will show the action with the submit parameters as follows. Is it possible to hide the parameters ?
http://localhost:8080/myproject/login?username=aaa&password=123
Use "redirect" result type to send the redirect to the browser. The parameters should still be in your session/action context.
The comment by #sanbhat is right - use a POST request so that the parameters do not appear in the URL. Using browser dev tools or similar it's still possible to inspect the request and it's post data, there's nothing you can do about that.
In the final redirect to the result JSP, (which presumably shows what the user wrote on the form), then the fields can be populated by saving the results in session scope, so no need to have request parameters on the redirect URL.
i guess you are making a GET call here..
in the submit action make sure you specify method="post" so that password wont appear as parameter
You are using get method. Change it to post method. Example is:
form method="post" name="form name" action="Your action page"
use post method in the form , default is get so u always see the parameters in the url.
<form action="some.jsp" method="post">
I want to forward from one page to another but with the same I want url to be changed. Suppose user is here http://mywebsite/register and when he completes his registration process then I want this in his address bar http://mywebsite/home
Is it possible without using sendRedirect , I mean by the way server side forwarding only? or any other way around to this problem?
You could just let the HTML form submit to that URL directly.
<form action="http://mywebsite/home">
But this makes no sense. You'll also run into problems when redisplaying the same form with validation messages in case of validation failure. You'd need to redirect back to the original page if you intend to keep the original URL and you'd need to fiddle with storing messages in the session scope instead of the request scope because a redirect basically creates a brand new request. You'll without a redirect also run in "double submit" problem whenever the enduser presses F5 after submitting the form.
Just let the servlet redirect the successful POST request to the desired URL. That's the canonical approach. Even more, this is a recommend "design pattern": the POST-Redirect-GET pattern.
AFAIK there's no way around a redirect since the browser has to update the url at some point. And if you'd update the url after the forwarded to page has been loaded it would issue a refresh and the page would be loaded again (which might result in an endless loop).
Why don't you want to use a redirect in that case?
I am using Struts and Java. The problem is that I have a page with some results. The user can click an item and edit it. I want after editing the user to be able to return back to the results. Back isn't broken but if he submits the form for update he would have to click back 2 times I think and may have problem.
I have tried header("Referer") but this doesn't work in Internet Explorer.
I am trying to implement a solution. Any ideas? My idea is to save url and move around an ID of that url. And when I want to return back get the url from ID. Storing it in the session is not a solution because the user may have opened multiple windows.
Passing a URL as a request parameter may create security issues. Powerlord is right that the USER can alter the referrer header. This will allow the user to visit a page, something they can do anyway. More seriously, following a URL that is in a request parameter allows an attacker to send the user to a page of the attacker's choice, with the appearance that this page is recommended by your application. So the answer from BalusC can enable Cross-Site Request Forgery.
The best way is to pass it around as a request parameter. On the edit link or button, just pass the current URL along as request parameter. Here's an example with a link:
edit
Or if it's a button to submit a form, then rather pass it as hidden input value in the same form:
<input type="hidden" name="from" value="${pageContext.request.requestURI}">
In the page with the edit form, transfer it to the subsequent request as hidden input value of the form:
<input type="hidden" name="from" value="${param.from}">
In the action method, just redirect to that URL after finishing the action. Since I don't do Struts, I can't give a detailed Struts example, but here is how you would do it with "plain vanilla" Servlet, you must be able to port it to a Struts approach:
response.sendRedirect(request.getParameter("from"));
I've got several Portlets with some links in them, all I want is to hide the URL params. So I thought it would be easy to include some jQuery code, which builds a form for each and binds a click event on it to submit the form.
This does not work. The action request isn't hit for some reason.
Does anyone have a different suggestion for hiding URL parameters?
description of link
<form name="mydataform" id="mydataform" action="/actionurlonyoursite" method="post">
<input type="hidden" name="myparam" value="" />
</form>
<script type="text/javascript">
function handleThisLink()
{
// access the hidden element in which you wish to pass the value of the parameter
dojo.byId("myparam").value = "myvalue";
// the value might be precomputed (while generating this page) or
// might need to be computed based on other data in the page
// submit the form by HTTP POST method to the URL which will handle it.
document.forms['mydataform'].submit();
// also possible to actually send a background AJAX request and publish
// the response to some part of the current page, thus avoiding full
// page refresh
// I used dojo.byId() as a shortcut to access the input element
// this is based on dojo toolkit.
}
</script>
Links fire GET requests by default. You cannot fire HTTP GET requests without passing parameters through the URL. The only what can do this is HTTP POST. All parameters are then included in the request body. But you would need to replace all links by forms with buttons and you need to modify the server side code so that it listens on POST requests instead of GET requests to take actions accordingly.
Javascript can also fire GET requests just in "the background" with help of XMLHttpRequest, but when a client has JS disabled, your application will either break or still display the parameters. Also the client has full control over JS code, so it does not necessarily "hide" the parameters from the client, but only from the browser address bar.
You can using XMLHttpRequest to hide URL parameter or using session variable of servlet container.
Maybe you can using encode url to show complex data to end user.
good luck