Andrei's Blog about Lotus Domino and other things: Automated login to Domino by HTTP POST request

Wednesday, July 23, 2008

Automated login to Domino by HTTP POST request

In a comment to Joachim Dagerot's blog post "Login in with just url-arguments" I mentioned that it's possible to login without exposing login credentials in the URL. It is done by making a POST request to Domino web server, instead of GET request. User still can see login credentials if he views page's HTML source, but they are at least not shown directly in the URL. Showing login details in URL makes it possible for bypassers to see your password, it's saved in the browser's URL history and it's also logged in the Domino log database, which is not so good as anyone with access to the log database can see them. Such URL might even get indexed by Google and show up in the search results.

To additionally secure automated login, an extra redirect can be used, so the page itself does not contain the password. Or even better and without any password exposure is a page/form which calls an agent which makes login in background and then passes the session cookie back to the initial page. But that's a topic for another blog post. Here i will show the simplest solution.

<form action="/names.nsf?Login" method="POST" name="LogonForm">
<input type="hidden" name="Username" value="myname">
<input type="hidden" name="Password" value="mypassword">
<input type="hidden" name="RedirectTo" value="/anotherdb.nsf/view?OpenView">
</form>

<script>
document.forms[0].submit();
</script>

When user opens this page, the first form gets automatically submitted to "/names.nsf?Login". User gets logged in to Domino with username and password specified in the form's fields and then redirected to another database according to the value in RedirectTo field.

Tags: Lotus Domino

11 comments:

mdm-adph said...: Good idea. I knew there was a reason why it always felt safer to do things over POST than by sticking it in the URL. (I use a technique like this in my ajax libraries -- works great.); 12:01 PM
Leo said...: Look at http://ezscript.nl

This can also do automated authentication in the POST data.; 7:45 AM
Anonymous said...: hmm. this didn't seem to work on my 8.5 server..I'm still prompted to login.. Does it require certain server settings?; 11:04 AM
Bill said...: Hi Andrei, and thanks for the ideas!

We have a custom portal for the Notes client. In this portal, we have links to various resources including some secure Domino pages.

When users click on links to these secure Domino pages, I would like them to be automatically logged in and directed to the page.

Since this is in the Notes client, I want to use LotusScript to create a reusable function for this purpose. The code for this function is listed below, but I'm not sure how to proceed. After sending the POST the responseText property contains the HTML for the targetUrl, and responseHeaders contains something like this:

"Server: Lotus-Domino
Date: Mon, 21 Sep 2009 16:01:33 GMT
Last-Modified: Mon, 21 Sep 2009 16:01:31 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 812
Cache-control: private
ETag: W/"MTAtODEwNS04NTI1NzYzODAwYRETEjMwLTAtMC1DTj1XaWxsaWFtIEhhbnNvbi9PPU1haW5saW5l"
"

How can I use the information returned by the POST to open a browser window to the correct page?

Is ETag some sort of session id that I can pass on the URL to automatically authenticate the user?

Is this even possible?

Here's my code so far...

Sub UrlOpenDominoLink(Byval host As String, Byval userName As String, Byval password As String, Byval targetUrl As String)

Dim xmlhttp As Variant
Dim content As String
content = "&redirectto=" & targetUrl & "&username=" & userName & "&password=" & password
Set xmlhttp = CreateObject("Msxml2.XMLHTTP")
Call xmlhttp.open("POST", host & "/names.nsf?login", False)
Call xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
Call xmlhttp.setRequestHeader("Content-length", Len(content))
xmlhttp.send(content)

Dim responseText As String, responseHeaders As String
responseText = xmlhttp.responseText
responseHeaders = xmlhttp.getAllResponseHeaders()

End Sub; 9:16 AM
Anonymous said...: 酒店打工

 酒店兼職

 台北酒店

 打工兼差

 酒店工作

 酒店經紀

 禮服酒店

 酒店兼差

 酒店上班

 酒店PT

酒店

 酒店喝酒

 酒店消費

 喝花酒

 粉味

 喝酒; 3:53 AM
Adi said...: This comment has been removed by the author.; 7:08 AM
Adi said...: Oes Tsetnoc one of the ways in which we can learn seo besides Mengembalikan Jati Diri Bangsa. By participating in the Oes Tsetnoc or Mengembalikan Jati Diri Bangsa we can improve our seo skills. To find more information about Oest Tsetnoc please visit my Oes Tsetnoc pages. And to find more information about Mengembalikan Jati Diri Bangsa please visit my Mengembalikan Jati Diri Bangsa page and other update like as Beratnya Mengembalikan Jati Diri Bangsa, Mengembalikan Jati Diri Bangsa di perpanjang and Jangan Berhenti Mengembalikan Jati Diri Bangsa. Thank you So much.

Oes Tsetnoc | Lanjutkan Mengembalikan Jati Diri Bangsa; 7:12 AM
Paul said...: I was looking for information on Automated login to Domino by HTTP POST request and before ending in your blog I watched like 10 sites about generic viagra, web is full with that topic. But anyways the info on your site help me very much, thanks for the post and have a nice day.; 6:49 AM
jimmy choo wedges said...: Christian Louboutin Ernesta T-Strap Satin Sandal
Christian Louboutin Frouprive 120 sandal
Christian Louboutin Galaxy Pass 100 sandals
Christian Louboutin hot pink patent leather 'Noeudette' sandals
Christian Louboutin Josefa 120 platform sandals
christian louboutin Leopard-Print Slingback Sandal
Christian Louboutin Lima 120 sandals
christian louboutin Lima Buckled Velvet Sandal; 10:54 PM
Bill Hanson said...: Hello Andrei,

I'm interested in your comment "an agent which makes login in background and then passes the session cookie back to the initial page".

Can you point me in the right direction to get started using this approach?; 9:33 AM
poker strategy said...: You have shared a great idea.Thanks for post!; 4:18 AM