Odd login/GUID/cookie usage



  • I'm hacking out a bash script to help my wife find jobs as a substitute teacher. The district uses Aesop for thier assignments. Of course it doesn't support any sort of email notification or RSS feed. You either sit there and hit refresh or let the robot call you with a random job at 6 in the fucking morning. A random job is a teaching job it picked from the list, not paying any attention to your specialties, location, or other preferences. Which is just about the only way to find subs for some of "those" classes.



    They're using some sort of ASP form for a login. I thought it was pretty standard until I looked at what gets set after a login. It submits the login form via POST to a url with GET parameters. The form target is something like https://aesoponline.com/login.asp&GUID=<some GUID>&paswd= . Yes the paswd param is blank. The GUID in the URL matches the GUID I get given with a cookie. Thats the first unusual part. Anyone know why you'd have a GUID in the URL and in a cookie? Is it some hack to support people who don't want a simple session cookie from a site that gives them paying jobs?



    I started filling things in with curl and grep to snag the submit URL and had some problems simply passing the user and password in. I dug around again and saw that there were several blank hidden fields in the form and one field called 'foil' that appeared to be set to some random 6 char alphanumeric string. The login wouldn't pass without that string. Anyone familiar with that technique? I have no idea what that would do other than annoy someone trying to script the login and search for open jobs since the provider can't be deigned to provide a simple RSS feed or email notification.



  • Sounds to me like the GUID is being used a session ID, and the hidden "foil" field is used for referrer validation.



  • @Rotary Jihad said:

    The GUID in the URL matches the GUID I get given with a cookie. Thats the first unusual part. Anyone know why you'd have a GUID in the URL and in a cookie? Is it some hack to support people who don't want a simple session cookie from a site that gives them paying jobs?

    I don't know anything about ASP (.NET or otherwise) but in Java servlets, the HttpSession was originally designed to support exactly that. The JSESSIONID can be either a cookie or a parameter.

    @Rotary Jihad said:

    one field called 'foil' that appeared to be set to some random 6 char alphanumeric string. The login wouldn't pass without that string.

    Things like that are usually done for two reasons:  a) to prevent cross-site request forgery, and b) to ensure that a form is only processed once even if the user submits it more than once.

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.