On Wed, Aug 27, 2008 at 11:10 AM, <aka...@gmail.com> wrote:
>
> Hello
> i've tried to solve login issue to Netvibes.com
> the problem is that after signing in
> {
> "page": {"title": "Netvibes"},
> "form": {
> "attributes": {
> "action": "http://www.netvibes.com/ajax/user/signIn.php",
> "method": "post"
> },
> "inputs": [
> {"type": "text", "name": "email", "value": ""},
> {"type": "hidden", "name": "session_only", "value": "1"},
> {"type": "password", "name": "password", "value": ""}
> ]
> },
> "version": "0.2.3"
>
> }
>
> the browser remains on the page "signIn.php" - and the screen is
> blank. the only text there is "success". but it seems that i have to
> be redirected to netvibes.com - how do i settle it? is there any
> possibility of redirecting after signing?
After Clipperz submit the direct login form, it completely loose
control over the page (for browser security policy) and so it is not
possible to redirect it to another url.
Sometimes the sites handle a "redirect" parameter on the URL, but that
may not be the case with Netvibes.
> 2) while trying to solve this i've found some interesting issue
> (imho):
> i've used the addon "Tamper Data" to find necessary POST data.
> the point is that in POST the password is encrypted. but when i use
> direct login - i see my password in POST
> and it's not encrypted any more.. so it can be tamped by someone else
> i think.
This may happen with some sites that preprocess the password value
with some javascript before sending it to the server.
Any plain html login form will just submit the actual password to the
server. And if the connection is not over SSL, someone could see it
passing.
Tamper data is in a very privileged position to inspect the submitted
data, as it is sitting right into the browser. If you happened to use
TCPDump instead, you will probably see encrypted data flowing around,
as most of the login sessions are handled through an SSL connection
anyway.
> and it's probably not always secure to login via Direct Login at any
> place :)
loggin is with Direct logins is as secure as directly logging in with
the original site login form: nothing more, nothing less.
> that's not critical, i think, but it seems that people have to be
> aware of it.
>
> for solving that i added one more field to my Card -
> "PasswordEncrypted" where i store encrypted pass which is easily found
> out using Tamper addon. and than in Direct login instead of using
> Password field i use PasswordEncrypted. thus no one will see your
> actual pass when u use DL.
Your approach to solve the problem was the same I would have done. But
this is not a general problem; the number of sites altering the
password before submitting it is very small in my experience.
Thanks for your feedback.
Best regards,
Giulio Cesare