I'm writing a few mobile apps to help students at my college access resources on their mobile devices. I have everything functioning after a user logs in, but I still can't figure out how to reengineer the login page. Right now, the only way to log in is to open a webview
to the login page. I'd like to be able to POST
the login information directly to the page, that way I don't have to open a login webview
.
Long story short - the login page for this resource not only passes UserID and Password, but a random UUID variable that I can't seem to figure out. It changes with every session, and I can't find any pattern with them. Right now, I've tried using GET
to pull the page and extract this UUID from the source, then use POST
to send it back along with the login information, but it fails.
Here is the login page's source (I removed the unrelated parts of the source for the sake of saving space):
<html>
<head>
<script language="javascript1.1">
var clientServerDelta = (new Date()).getTime() - 1403699390279; <!--this number changes with every load? -->
function login()
{
setQueryAsCookie();
document.cplogin.user.value=document.userid.user.value;
if ( document.cplogin.uuid )
{
document.cplogin.uuid.value=(new Date()).getTime() - clientServerDelta;
}
document.cplogin.submit();
}
</script>
<div id="loginBox">
<table border="0" cellpadding="2" cellspacing="0" width="100%">
<tr>
<td align="center">
<table border="0" cellpadding="4" cellspacing="0" width="100%">
<form name="userid" onSubmit="xferFocus(this); return false;">
<tr>
<td align="right" width="40%"><span class="style1"><b>
<label for="user" accesskey="u">User Name</label>:</b></span></td>
<td align="left" width="60%">
<span class="text10">
<script language="JavaScript1.2">
document.writeln("<input class=\"textform\" type=\"text\" id=\"user\" name=\"user\" size=\"" + size + "\" tabindex=1 onFocus=\"hadFocus(true)\">");
</script>
</span>
</td>
</tr>
</form>
<form name="cplogin" action="https://<website>/login" onSubmit="login(); return false;" method="post">
<tr>
<td align="right"><span class="style1"><b>
<label for="pass" accesskey="p">Password</label>:</b></span></td>
<td align="left">
<span class="text10">
<script language="JavaScript1.2">
document.writeln("<input class=\"textform\" type=\"password\" id=\"pass\" name=\"pass\" size=\"" + size + "\" tabindex=2 onFocus=\"hadFocus(true);\">");
</script><input type="hidden" name="user" value=""><input type="hidden" name="uuid" value=""/>
</span>
</td>
</tr>
</form>
</table>
</td>
</tr>
</table>
</div>
I may have too many closing tags on there, but whatever, the base of the code is there; the closing tags don't mean too much. Anyway, when I capture a POST
stream, it's passing userid, password, and uuid to /login. I can't seem to figure out what the heck is generating the UUID.
EDIT:
Figured it out! SunGard's process is described in the comments here: https://www.lumdev.net/node/9994.
According to novosirj on Lumdev: "Reading the code, it very much looks like it's taking the current date in epoch milliseconds, subtracts a value that it gets from the client (which also very much looks like epoch milliseconds), and calls that clientServerDelta, and then subtracts that difference from a newly-generated date later on and gets roughly another value in epoch milliseconds (that was the part I was missing -- it does not work in seconds, but instead milliseconds)."
There's a hardcoded UUID value that will ALWAYS pass a valid session ID: 0xACA021. I just passed that value along with my login information in a POST
, and sure enough, I logged in. Awesome!