Wednesday, July 23, 2008

Automated login to Domino by HTTP POST request

In a comment to Joachim Dagerot's blog post "Login in with just url-arguments" I mentioned that it's possible to login without exposing login credentials in the URL. It is done by making a POST request to Domino web server, instead of GET request. User still can see login credentials if he views page's HTML source, but they are at least not shown directly in the URL. Showing login details in URL makes it possible for bypassers to see your password, it's saved in the browser's URL history and it's also logged in the Domino log database, which is not so good as anyone with access to the log database can see them. Such URL might even get indexed by Google and show up in the search results.

To additionally secure automated login, an extra redirect can be used, so the page itself does not contain the password. Or even better and without any password exposure is a page/form which calls an agent which makes login in background and then passes the session cookie back to the initial page. But that's a topic for another blog post. Here i will show the simplest solution.

<form action="/names.nsf?Login" method="POST" name="LogonForm">
<input type="hidden" name="Username" value="myname">
<input type="hidden" name="Password" value="mypassword">
<input type="hidden" name="RedirectTo" value="/anotherdb.nsf/view?OpenView">


When user opens this page, the first form gets automatically submitted to "/names.nsf?Login". User gets logged in to Domino with username and password specified in the form's fields and then redirected to another database according to the value in RedirectTo field.



Anonymous said...

Good idea. I knew there was a reason why it always felt safer to do things over POST than by sticking it in the URL. (I use a technique like this in my ajax libraries -- works great.)

Leo said...

Look at

This can also do automated authentication in the POST data.

Anonymous said...

hmm. this didn't seem to work on my 8.5 server..I'm still prompted to login.. Does it require certain server settings?

Bill said...

Hi Andrei, and thanks for the ideas!

We have a custom portal for the Notes client. In this portal, we have links to various resources including some secure Domino pages.

When users click on links to these secure Domino pages, I would like them to be automatically logged in and directed to the page.

Since this is in the Notes client, I want to use LotusScript to create a reusable function for this purpose. The code for this function is listed below, but I'm not sure how to proceed. After sending the POST the responseText property contains the HTML for the targetUrl, and responseHeaders contains something like this:

"Server: Lotus-Domino
Date: Mon, 21 Sep 2009 16:01:33 GMT
Last-Modified: Mon, 21 Sep 2009 16:01:31 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 812
Cache-control: private

How can I use the information returned by the POST to open a browser window to the correct page?

Is ETag some sort of session id that I can pass on the URL to automatically authenticate the user?

Is this even possible?

Here's my code so far...

Sub UrlOpenDominoLink(Byval host As String, Byval userName As String, Byval password As String, Byval targetUrl As String)

Dim xmlhttp As Variant
Dim content As String
content = "&redirectto=" & targetUrl & "&username=" & userName & "&password=" & password
Set xmlhttp = CreateObject("Msxml2.XMLHTTP")
Call"POST", host & "/names.nsf?login", False)
Call xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
Call xmlhttp.setRequestHeader("Content-length", Len(content))

Dim responseText As String, responseHeaders As String
responseText = xmlhttp.responseText
responseHeaders = xmlhttp.getAllResponseHeaders()

End Sub

Anonymous said...

















Adi said...
This comment has been removed by the author.
Adi said...

Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa page and other update like as Beratnya Mengembalikan Jati Diri Bangsa, Mengembalikan Jati Diri Bangsa di perpanjang and Jangan Berhenti Mengembalikan Jati Diri Bangsa. Thank you So much.

Oes Tsetnoc | Lanjutkan Mengembalikan Jati Diri Bangsa

Anonymous said...

I was looking for information on Automated login to Domino by HTTP POST request and before ending in your blog I watched like 10 sites about generic viagra, web is full with that topic. But anyways the info on your site help me very much, thanks for the post and have a nice day.

jimmy choo wedges said...

Christian Louboutin Ernesta T-Strap Satin Sandal
Christian Louboutin Frouprive 120 sandal
Christian Louboutin Galaxy Pass 100 sandals
Christian Louboutin hot pink patent leather 'Noeudette' sandals
Christian Louboutin Josefa 120 platform sandals
christian louboutin Leopard-Print Slingback Sandal
Christian Louboutin Lima 120 sandals
christian louboutin Lima Buckled Velvet Sandal

Bill Hanson said...

Hello Andrei,

I'm interested in your comment "an agent which makes login in background and then passes the session cookie back to the initial page".

Can you point me in the right direction to get started using this approach?

poker strategy said...

You have shared a great idea.Thanks for post!

Play Poker Online said...

Thanks for your article,like your blog very much,well done

Poker game said...

Cool post. Very interesting and fascinating. Excellent. Thank You for your good job.

Online Rummy said...

Good idea.Thanks for post!

Rummy said...

Hey nice blog... its is really amazing.

Mike said...

Hello Bosku....!! Member GADIS !
Kami mengingatkan kembali kepada seluruh member setia GADIS,
Promo terbaru dari GADIS PKR :
-BONUS Rp 5.000 Saat deposit Rp 50.000
-BONUS Rp 10.000 Saat deposit Rp 100.000.
-Minimal Depo / Wd Hanya : 10000,-
-Bonus Refferal 15% Seumur Hidup.
-Bonus TO/Turn Over Up TO 0,3% - 0,5%
-Hadiah Jackpot Puluhan Jutaan Rupiah

**Ketentuan :
Bonus dapat di klaim paling lambat 1 jam setelah melakukan deposit.
Bonus tidak berlaku jika tidak di klaim paling lambat 1 jam setelah deposit.

Gabung dan daftar sekarang dan buktikan sejauh apa keberuntungan membawa anda !

Live support 24 jam siap membantu anda kapanpun dibutuhkan:
☑️Pin BB : D8C893A4
☑️Whatsapp : +855966624192
☑️Skype : Gadispoker
☑️Yahoo : gadispokercs
☑️Line : gadispoker-cs

Semoga anda beruntung,,, dan tetap bermain secara bertanggung jawab.
agen judi poker online terpercaya di indonesia

bandar judi poker online yang paling aman

taruhan judi poker online terpercaya

poker online

judi poker

dewa poker

raja poker


judi poker online terbesar

judi poker online yang aman dan terpercaya

bandar poker online indonesia

judi dewa poker terbaik indonesia

agen poker online indonesia

poker online betting

situsjudionline said...

best online money poker agent with the best server only on the dompetpoker
tbk dompetpoker is site / website agency gambling poker online money with the best service and supported by friendly service services.
agen poker
poker online
agen poker terbaik
agen poker terpercaya
poker uang asli

dewi pratama said...

very good, your blogs may be useful

please visit my website


Togelpelangi said...

I really like the article you are doing and something very interesting article to search

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

smoke good said...

ABG HOT said...

Permainan kartu yang sangat menghibur dan tentunya bisa mendapatkan keuntungan. Dapat dimainkan kapan saja dan dimana saja serta banyak Promo bonus yang menanti anda. Segera DAFTAR ID PRO untuk semua jenis permainan dibawah ini :

Capsa Susun
Poker Online
Domino Online
Bandar Poker
Sabung Ayam
Roullet online
Baccarat Online
Dadu Koplo

Anonymous said...

Anonymous said...

Paijo chipit said...

Anonymous said...

Anonymous said...

Linda Cahyaning said...

Frischa 99 said...

Frischa 99 said...

Anonymous said...

Anonymous said...

Anonymous said...

Automate Whatsapp Messages said...

This is really a very good article. Thanks for taking the time to discuss with us, I feel happy about learning this topic. keep sharing your information regularly for my future reference.

Paijo chipit said...

I like the articles that are shared very well

Paijo chipit said...

Sharp Indonesia said...

Servis HPKursus HP iPhoneAppleLes Privatewww.lampungservice.comVivo
Kursus Service HP Bandar LampungKursus Service HP Bandar LampungServis HP said...

Incredible information... Thanks alot... Keep sharing!!!

Creative Graphic Design

Blogger Keren said...

terimakasih infonya ya, jangan lupa klik dan mampir disini link maxbet indonesia