Wednesday, July 23, 2008

Automated login to Domino by HTTP POST request

In a comment to Joachim Dagerot's blog post "Login in with just url-arguments" I mentioned that it's possible to login without exposing login credentials in the URL. It is done by making a POST request to Domino web server, instead of GET request. User still can see login credentials if he views page's HTML source, but they are at least not shown directly in the URL. Showing login details in URL makes it possible for bypassers to see your password, it's saved in the browser's URL history and it's also logged in the Domino log database, which is not so good as anyone with access to the log database can see them. Such URL might even get indexed by Google and show up in the search results.

To additionally secure automated login, an extra redirect can be used, so the page itself does not contain the password. Or even better and without any password exposure is a page/form which calls an agent which makes login in background and then passes the session cookie back to the initial page. But that's a topic for another blog post. Here i will show the simplest solution.

<form action="/names.nsf?Login" method="POST" name="LogonForm">
<input type="hidden" name="Username" value="myname">
<input type="hidden" name="Password" value="mypassword">
<input type="hidden" name="RedirectTo" value="/anotherdb.nsf/view?OpenView">


When user opens this page, the first form gets automatically submitted to "/names.nsf?Login". User gets logged in to Domino with username and password specified in the form's fields and then redirected to another database according to the value in RedirectTo field.



Anonymous said...

Good idea. I knew there was a reason why it always felt safer to do things over POST than by sticking it in the URL. (I use a technique like this in my ajax libraries -- works great.)

Anonymous said...

Look at

This can also do automated authentication in the POST data.

Anonymous said...

hmm. this didn't seem to work on my 8.5 server..I'm still prompted to login.. Does it require certain server settings?

Bill Hanson said...

Hi Andrei, and thanks for the ideas!

We have a custom portal for the Notes client. In this portal, we have links to various resources including some secure Domino pages.

When users click on links to these secure Domino pages, I would like them to be automatically logged in and directed to the page.

Since this is in the Notes client, I want to use LotusScript to create a reusable function for this purpose. The code for this function is listed below, but I'm not sure how to proceed. After sending the POST the responseText property contains the HTML for the targetUrl, and responseHeaders contains something like this:

"Server: Lotus-Domino
Date: Mon, 21 Sep 2009 16:01:33 GMT
Last-Modified: Mon, 21 Sep 2009 16:01:31 GMT
Content-Type: text/html; charset=US-ASCII
Content-Length: 812
Cache-control: private

How can I use the information returned by the POST to open a browser window to the correct page?

Is ETag some sort of session id that I can pass on the URL to automatically authenticate the user?

Is this even possible?

Here's my code so far...

Sub UrlOpenDominoLink(Byval host As String, Byval userName As String, Byval password As String, Byval targetUrl As String)

Dim xmlhttp As Variant
Dim content As String
content = "&redirectto=" & targetUrl & "&username=" & userName & "&password=" & password
Set xmlhttp = CreateObject("Msxml2.XMLHTTP")
Call"POST", host & "/names.nsf?login", False)
Call xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
Call xmlhttp.setRequestHeader("Content-length", Len(content))

Dim responseText As String, responseHeaders As String
responseText = xmlhttp.responseText
responseHeaders = xmlhttp.getAllResponseHeaders()

End Sub

Adi said...
This comment has been removed by the author.
Anonymous said...

I was looking for information on Automated login to Domino by HTTP POST request and before ending in your blog I watched like 10 sites about generic viagra, web is full with that topic. But anyways the info on your site help me very much, thanks for the post and have a nice day.

Bill Hanson said...

Hello Andrei,

I'm interested in your comment "an agent which makes login in background and then passes the session cookie back to the initial page".

Can you point me in the right direction to get started using this approach?

poker strategy said...

You have shared a great idea.Thanks for post!

Play Poker Online said...

Thanks for your article,like your blog very much,well done

Poker game said...

Cool post. Very interesting and fascinating. Excellent. Thank You for your good job.

Online Rummy said...

Good idea.Thanks for post!

Rummy said...

Hey nice blog... its is really amazing. said...

very good, your blogs may be useful

please visit my website


Togelpelangi said...

I really like the article you are doing and something very interesting article to search

smokegood said...

Frischa Kevin said...

Automate Whatsapp Messages said...

This is really a very good article. Thanks for taking the time to discuss with us, I feel happy about learning this topic. keep sharing your information regularly for my future reference.

Paijo said...

I like the articles that are shared very well said...

Incredible information... Thanks alot... Keep sharing!!!

Creative Graphic Design

Blogger Keren said...

terimakasih infonya ya, jangan lupa klik dan mampir disini link maxbet indonesia

Anonymous said...

You posted this forever ago, but I just happened to need this for my project and it worked perfectly! Thank you for sharing.

online poker india said...

Nice Blog

Thanks for sharing.I have read your blog.great Written

play poker game free
poker strategy
texas poker
play poker online
texas holdem poker

pkv games said...



Kode ID Pro DominoQQ


Unknown said...

nice blog I really like the article you are doing and something very interesting article to search
Logo Design
Graphic Design
Thrones of Brand
Social Media Design


in modo che il tempo di giocare a tutti i giochi d'azzardo online sul sito Audy88 non sia perso e possa trarre il massimo dai benefici che possono essere ottenuti con il tempo che non viene sprecato.

Dubaiboy45 said...

ข่าว อีสปอร์ต

Anonymous said...

Thanks for sharing this article.

Bio -

Cecilia Celesta said...

Play and Win!!!
Agen Domino99
Agen DominoQQ

barsha said...

hi, this is very informative post.Thank you Games pkv