Auto login

Re: Auto login

<1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>

var passwd = document.forms['MyFormName'].
elements['EWEBIAC_HTML_L OGIN_FIELDS-alias_name_RES'].value;

// JavaScript doesn't resolve variables inside strings, it's not Perl
here :-)
// And what an ugly name with *minus* in it which is always a call for
troubles :-(
// But it's your solution anyway...

document.cookie = 'password=' + escape(passwd) +'; path= /';

// cookie values need to be escaped (es well as cookie names
// if you use some strange chars in it which is not a case here)

And so on with other cookies...

Re: Auto login

VK wrote:[color=blue]
> <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>
>
> var passwd = document.forms['MyFormName'].
> elements['EWEBIAC_HTML_L OGIN_FIELDS-alias_name_RES'].value;
>
> // JavaScript doesn't resolve variables inside strings, it's not Perl
> here :-)
> // And what an ugly name with *minus* in it which is always a call for
> troubles :-(
> // But it's your solution anyway...
>
> document.cookie = 'password=' + escape(passwd) +'; path= /';
>
> // cookie values need to be escaped (es well as cookie names
> // if you use some strange chars in it which is not a case here)
>
> And so on with other cookies...[/color]

Thank you friend, and if this works, I'll put those comments in there
just for fun :)

Re: Auto login

VK wrote:
[color=blue]
> <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>[/color]

You are trolling.
[color=blue]
> [...]
> document.cookie = 'password=' + escape(passwd) +'; path= /';
>
> // cookie values need to be escaped (es well as cookie names
> // if you use some strange chars in it which is not a case here)[/color]

Nonsense. `passwd' only needs to be escaped if it contained a
`;' as this is already the cookie value component delimiter;
a simple passwd.replace( ";", "%3B") suffices.


PointedEars

Re: Auto login


Thomas 'PointedEars' Lahn wrote:[color=blue]
> VK wrote:
>[color=green]
> > <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>[/color]
>
> You are trolling.
>[color=green]
> > [...]
> > document.cookie = 'password=' + escape(passwd) +'; path= /';
> >
> > // cookie values need to be escaped (es well as cookie names
> > // if you use some strange chars in it which is not a case here)[/color]
>
> Nonsense. `passwd' only needs to be escaped if it contained a
> `;' as this is already the cookie value component delimiter;
> a simple passwd.replace( ";", "%3B") suffices.
>
>
> PointedEars[/color]

Could you clarify this for me please? Should I NOT use the javascript
the first guy suggested?

Re: Auto login

Navillus wrote:
[color=blue]
> Thomas 'PointedEars' Lahn wrote:[color=green]
>> VK wrote:[color=darkred]
>> > [...]
>> > document.cookie = 'password=' + escape(passwd) +'; path= /';
>> >
>> > // cookie values need to be escaped (es well as cookie names
>> > // if you use some strange chars in it which is not a case here)[/color]
>>
>> Nonsense. `passwd' only needs to be escaped if it contained a
>> `;' as this is already the cookie value component delimiter;
>> a simple passwd.replace( ";", "%3B") suffices.
>> [...][/color]
>
> Could you clarify this for me please? Should I NOT use the javascript
> the first guy suggested?[/color]

You should not, as you should treat everything VK posts here with extreme
care (ask Google for details).

Using escape() here would make the stored password value longer than it
needs to be and therefore consume more disk space of your user's storage
medium than necessary, while not providing for increased security at all
(which was probably the intention). For example, the short password

#a3%!?_&

would be stored in the cookie as

%23a3%25%21%3F_ %26

(more than twice as long) if you used VK's code even though it could be
stored as is without negative effect. Note that is specified that user
agents must support cookie data up to 4 KiB; if you escape everything
always, the amount of real information that can be stored reliably is
considerably smaller.

Generally, it is enough for cookie data to escape the `;' and probably the
`=' character too in some way. This is necessary because the `;' character
is used to separate the cookie components, that are the cookie name-value
pair and the `path' component here, and the `=' character is used to
separate cookie name/component label and its value. So if you did not
allow for `;' and `=' in passwords (but you should; they are non-word
characters that increase password security), there would be no technical
need to escape anything here.

However, since we are talking about a password which probably allows for
access to sensitive data, you want to consider storing the password in
coded form so that not everybody who has access to the cookie file can
access it as is. Escaping the password with escape() is too insecure to do
that (because unescape() can "decode" that easily), so you should look for
a stronger encryption algorithm. If you do that, it is probably a Good
Idea not to use client-side scripting for encrypting that password only; if
you did, the encryption and decryption algorithms would be plain script
source in your HTML document or in an included script file and the security
level of your password encryption would be lower as it could be. (An
interesting approach is to store only the password checksum, like a MD5
checksum, instead of the password itself, on the client [cookie]. When
authenticating automatically, the client authenticates with the stored
checksum instead of the real password, and the server compares that
checksum against the checksum of the password stored in its database. If
they match, the authentication is successful. And only the user can know
the actual password, since trying all password combinations and comparing
their checksum against the checksum stored on disk [in the cookie] is
probably too much effort for the average cracker. But I am digressing :))

You also want to consider using the `domain' component. If you set it to
the second-level domain of your associates site, all sub-level domains can
access the cookie later, too.

See <URL:http://en.wikipedia.or g/wiki/HTTP_cookie>, RFC2109 (obsolete) and
RFC2965 for further information.


HTH

PointedEars

Re: Auto login

Thomas 'PointedEars' Lahn said the following on 2/8/2006 5:49 PM:[color=blue]
> VK wrote:
>[color=green]
>> <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>[/color]
>
> You are trolling.[/color]

It looks more like you are. If you weren't so Hitler-like you would
almost be tolerable. As it is, you are no better than VK is.

--
Randy
comp.lang.javas cript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Re: Auto login


Thomas 'PointedEars' Lahn wrote:[color=blue]
> Generally, it is enough for cookie data to escape the `;' and probably the
> `=' character too in some way.
> ...
> ... and so on... and so on.... as usual...[/color]


<http://wp.netscape.com/newsref/std/cookie_spec.htm l>
NAME=VALUE
This string is a sequence of characters excluding semi-colon, comma
and white space. If there is a need to place such data in the name or
value, some encoding method such as URL style %XX encoding is
recommended, though no encoding is defined or required.

<http://msdn.microsoft. com/workshop/author/dhtml/reference/properties/cookie.asp>
The value is passed to the JScript escape function to ensure that the
value only contains valid characters. When the cookie is retrieved, the
JScript unescape function should be used to translate the value back to
its original form.

<http://devedge-temp.mozilla.or g/library/manuals/2000/javascript/1.3/guide/advtopic.html>
If name and value contain any semicolon, comma, or blank (space)
characters, you must use the escape function to encode them and the
unescape function to decode them.


Navillus wrote:[color=blue]
> Could you clarify this for me please? Should I NOT use the javascript
> the first guy suggested?[/color]

You are welcome to use any of posted solutions or none of these. The
overall best approach would be to learn cookie mechanics and
JavaScript-driven form manipulation in order to take a conscious
choice. In case of lack of time you may drop a coin ;-)

Re: Auto login

VK wrote:
[color=blue]
> Thomas 'PointedEars' Lahn wrote:[color=green]
>> Generally, it is enough for cookie data to escape the `;' and probably
>> the `=' character too in some way.
>> ...
>> ... and so on... and so on.... as usual...[/color][/color]
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^
I did not write that. You are trolling again.
[color=blue]
> <http://wp.netscape.com/newsref/std/cookie_spec.htm l>[/color]

The Netscape Cookie Specification has been obsoleted by the RFCs long ago.
[color=blue]
> NAME=VALUE
> This string is a sequence of characters excluding semi-colon, comma
> and white space. If there is a need to place such data in the name or[/color]
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^^[color=blue]
> value, some encoding method such as URL style %XX encoding is[/color]
^^^^^ ^^^^^^^^^^^^^^^ ^^^^^[color=blue]
> recommended, though no encoding is defined or required.[/color]
^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^


PointedEars

Re: Auto login

VK wrote:[color=blue]
> <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>
>
> var passwd = document.forms['MyFormName'].
> elements['EWEBIAC_HTML_L OGIN_FIELDS-alias_name_RES'].value;
>
> // JavaScript doesn't resolve variables inside strings, it's not Perl
> here :-)
> // And what an ugly name with *minus* in it which is always a call for
> troubles :-(
> // But it's your solution anyway...
>
> document.cookie = 'password=' + escape(passwd) +'; path= /';
>
> // cookie values need to be escaped (es well as cookie names
> // if you use some strange chars in it which is not a case here)
>
> And so on with other cookies...[/color]

I tried this, and it won't even create the cookies. I'm sorry I can't
be more descript than that. Before, when I used my old code, it would
at least initialize the cookie, but the values would be all messed up.
Can anyone help?

Re: Auto login

VK wrote:[color=blue]
> <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>
>
> var passwd = document.forms['MyFormName'].
> elements['EWEBIAC_HTML_L OGIN_FIELDS-alias_name_RES'].value;
>
> // JavaScript doesn't resolve variables inside strings, it's not Perl
> here :-)
> // And what an ugly name with *minus* in it which is always a call for
> troubles :-(
> // But it's your solution anyway...
>
> document.cookie = 'password=' + escape(passwd) +'; path= /';
>
> // cookie values need to be escaped (es well as cookie names
> // if you use some strange chars in it which is not a case here)
>
> And so on with other cookies...[/color]

I'm getting errors saying that the variables are undefined. I don't
think javascript easily recognizes SAP form variables. Any idea how to
get SAP form variables into a form that javascript will recognize?

Re: Auto login

Navillus wrote:
[color=blue]
> VK wrote:[color=green]
>> var passwd = document.forms['MyFormName'].
>> elements['EWEBIAC_HTML_L OGIN_FIELDS-alias_name_RES'].value;
>>
>> // JavaScript doesn't resolve variables inside strings, it's not Perl
>> here :-)
>> // And what an ugly name with *minus* in it which is always a call for
>> troubles :-(
>> // But it's your solution anyway...
>>[...][/color]
>
> I'm getting errors saying that the variables are undefined. I don't
> think javascript easily recognizes SAP form variables.[/color]

Why do you not post (snippets of) _generated_ code, not generating one (as
little as I admittedly know about SAP, your "SAP code" does look like a
server-side template that merely _generates_ [X]HTML code), then leave the
assessment of what is easily possible or not with JavaScript (or another
ECMAScript implementation) to people who obviously do know more about the
subject than you (you would not ask here if it was not so, would you?)
[color=blue]
> Any idea how to get SAP form variables into a form that javascript will
> recognize?[/color]

IMNSHO it is rather not a matter of JavaScript (or another ECMAScript
implementation) recognizing "SAP form variables" but a matter of what these
"variables" really are. Besides, "this guy"'s (FOAF's?) (X)HTML code is
not Valid markup already, which is what should be changed first; it is
entirely possible that "magically" everything "fixes" by itself then.

<URL:http://validator.w3.or g/>


PointedEars

Re: Auto login


Thomas 'PointedEars' Lahn wrote:[color=blue]
> VK wrote:
>[color=green]
> > <1139367411.706 139.121500@f14g 2000cwb.googleg roups.com>[/color]
>
> You are trolling.
>[color=green]
> > [...]
> > document.cookie = 'password=' + escape(passwd) +'; path= /';
> >
> > // cookie values need to be escaped (es well as cookie names
> > // if you use some strange chars in it which is not a case here)[/color]
>
> Nonsense. `passwd' only needs to be escaped if it contained a
> `;' as this is already the cookie value component delimiter;
> a simple passwd.replace( ";", "%3B") suffices.[/color]


And what would happen if passwd already contained the "%3B" string?
Only replacing ";" with "%3B" wouldn't help here since you wouldn't get
the original string back.

Re: Auto login

tngd81@gmail.co m wrote:
[color=blue]
> Thomas 'PointedEars' Lahn wrote:[color=green]
>> VK wrote:[color=darkred]
>> > [...]
>> > document.cookie = 'password=' + escape(passwd) +'; path= /';
>> >
>> > // cookie values need to be escaped (es well as cookie names
>> > // if you use some strange chars in it which is not a case here)[/color]
>>
>> Nonsense. `passwd' only needs to be escaped if it contained a
>> `;' as this is already the cookie value component delimiter;
>> a simple passwd.replace( ";", "%3B") suffices.[/color]
>
> And what would happen if passwd already contained the "%3B" string?
> Only replacing ";" with "%3B" wouldn't help here since you wouldn't get
> the original string back.[/color]

Yes, iff such values are possible, that has to be considered. The statement
that cookie values need to be (read: must always be) escaped as VK did is
wrong, though.


PointedEars

Re: Auto login

Thomas,
Here's what the generated code looks like on the registration page.
Thanks for sticking with me on this:


<body id="webguiBody " leftmargin=0 topmargin=0
class="WebguiBo dyScroll"
onLoad="webguiO nLoad(); webguiSetDocume ntName();
SAP_WebFramewor kOnload();
checkChangeFlag = false; dataIsDirtyFlag = false; if(
window.SAP_Temp lateOnloadFunct ion != null )
SAP_TemplateOnl oadFunction();" >

<form id=webguiform name="webguifor m"
action="/scripts/wgate/ziac_register04 b21d17/~flNlc3Npb249RD AxOkNJVFlERVZUU kVYOjAwMDAuMDAx Mi41MTQ2ZmM4MS4 4MjM5Jn5odHRwX2 NvbnRlbnRfY2hhc nNldD1pc28tODg1 OS0xJn5TdGF0ZT0 yMTM0My4wMDIuMD MuMDM="
method="post" target="_self"
onclick="webgui DoClick(event)" onfocus="webgui DoFocus(event)"
onkeydown="webg uiDoKeyDown(eve nt)" ondblclick="web guiDoDblClick(e vent)"[color=blue]
>[/color]
<input type="hidden" name="~Menuitem " value="">
<input type="hidden" name="~Focusfie ld" value="">
<input type="hidden" name="~OkCode" value="">
<input type="hidden" name="~FKey" value="">
<input type="hidden" name="~Searchhe lp" value="">
<input type="hidden" name="~Control" value="">
<input type="hidden" name="~Event" value="">
<input type="hidden" name="~EventPar ameter" value="">
<input type="hidden" name="~webguiUs erAreaHeight" value="350">
<input type="hidden" name="~webguiUs erAreaWidth" value="984">
<input type="hidden" name="~webguiRe nderTime" value="0">
<input type="hidden" name="~webguiRe questTime" value="0">
<input type="hidden" name="~webguiSt artRequestTime"
value="11400320 60265">
<input type="hidden" name="~printdat a_close" value="">
<input type="hidden" name="~webguiMo dalPixelLeft" value="">
<input type="hidden" name="~webguiMo dalPixelTop" value="">

<input type="hidden" name="~webgui_t ype_dynprodata" value="">
<input type="hidden" name="~webgui_m odalwindow" value="">
<input type="hidden" name="~webgui_c ursorobj" value="">
<input type="hidden" name="~webgui_c ursorcol" value="">
<input type="hidden" name="~ctxmenur equest" value="">
<input type="hidden" name="~ctxmenus elected" value="">
<input type="hidden" name="~webguiWi ndowHeight" value="">
<input type="hidden" name="~webguiWi ndowWidth" value="">
<input id="~ToolbarOkC odeVisible" type="hidden"
name="~ToolbarO kCodeVisible" value="">
<div id="webguiConta iner">
<div id="webguiUserA rea">


<h2 style="font-style:arial" style="font-size:24pt">Onli ne
Registration</h2>

<div nowrap class="SIgroupb oxcontent" style="">

<span class="SIgroupb oxheader" SAPDPT="1" >&nbsp;Online
Registration</span><img SAPDPT="1"
src="/sap/its/mimes/webgui/wa/scrindp/images/misc/1x1.gif"
class="SIgroupB oxCornerimage">
<div><div class="SIgroupB oxContentPaddin g" style="position :relative;
width:100%">




<script language="JavaS cript"
src='/sap/its/mimes/webgui/wa/scrindp/scripts/msiexplorer/editablefield.j s'>
</script>
<span id="alias_name " >
<script>SAP_Tem plateEditableFi eldInit( "alias_name ", "User Id",

"200", "", "40", "User Id is freely definable. Email address
can be used if it is forty characters or less.", "" );
</script>

<div nowrap style="margin-top:0;">

<span
id="alias_name: fieldLabel"
class="SIfieldl abel"
style="width: 200; "

title="User Id">&nbsp;&nbsp ;User Id&nbsp;
<span class="SIrequir edfield">*</span>
&nbsp;&nbsp;&nb sp;</span>

<input
id="alias_name: value" title="User Id" class="SIinput" type="text"
name="ewebiac_h tml_login_field s-alias_name[1]"size="40"
tabindex="2"
value="" maxlength="40"
[color=blue]
>[/color]
<span id="alias_name: inspectionText" class="SIinspec tiontext"

title="User Id is freely definable. Email address can be used if
it is forty characters or less."
[color=blue]
>[/color]

&nbsp;&nbsp;&nb sp;User Id is freely definable. Email address can
be used if it is forty characters or less.

</span></div>

</span>



<span id="account" >
<script>SAP_Tem plateEditableFi eldInit( "account", "Account
Number",
"200", "", "12", "", "" );
</script>

<div nowrap style="margin-top:0;">

<span
id="account:fie ldLabel"
class="SIfieldl abel"
style="width: 200; "

title="Account Number">&nbsp;& nbsp;Account Number&nbsp;
<span class="SIrequir edfield">*</span>
&nbsp;&nbsp;&nb sp;</span>

<input
id="account:val ue" title="Account Number" class="SIinput" type="text"
name="ewebiac_h tml_login_field s-vkont[1]"size="12"
tabindex="3"
value="" maxlength="12"
[color=blue]
>[/color]
<span id="account:ins pectionText" class="SIinspec tiontext"
[color=blue]
>[/color]

</span></div>

</span>



<span id="NEW_PASS" >
<script>SAP_Tem plateEditableFi eldInit( "NEW_PASS", "Password",
"200", "", "8", "Maximum length is eight characters.", "" );
</script>

<div nowrap style="margin-top:0;">

<span
id="NEW_PASS:fi eldLabel"
class="SIfieldl abel"
style="width: 200; "

title="Password ">&nbsp;&nbsp;P assword&nbsp;
<span class="SIrequir edfield">*</span>
&nbsp;&nbsp;&nb sp;</span>

<input
id="NEW_PASS:va lue" title="Password " class="SIinput" type="password"
name="ewebiac_h tml_login_field s-new_pass[1]"size="8"
tabindex="4"
value="" maxlength="8"
[color=blue]
>[/color]
<span id="NEW_PASS:in spectionText" class="SIinspec tiontext"

title="Maximum length is eight characters."
[color=blue]
>[/color]


Thomas 'PointedEars' Lahn wrote:[color=blue]
> Navillus wrote:
>[color=green]
> > VK wrote:[color=darkred]
> >> var passwd = document.forms['MyFormName'].
> >> elements['EWEBIAC_HTML_L OGIN_FIELDS-alias_name_RES'].value;
> >>
> >> // JavaScript doesn't resolve variables inside strings, it's not Perl
> >> here :-)
> >> // And what an ugly name with *minus* in it which is always a call for
> >> troubles :-(
> >> // But it's your solution anyway...
> >>[...][/color]
> >
> > I'm getting errors saying that the variables are undefined. I don't
> > think javascript easily recognizes SAP form variables.[/color]
>
> Why do you not post (snippets of) _generated_ code, not generating one (as
> little as I admittedly know about SAP, your "SAP code" does look like a
> server-side template that merely _generates_ [X]HTML code), then leave the
> assessment of what is easily possible or not with JavaScript (or another
> ECMAScript implementation) to people who obviously do know more about the
> subject than you (you would not ask here if it was not so, would you?)
>[color=green]
> > Any idea how to get SAP form variables into a form that javascript will
> > recognize?[/color]
>
> IMNSHO it is rather not a matter of JavaScript (or another ECMAScript
> implementation) recognizing "SAP form variables" but a matter of what these
> "variables" really are. Besides, "this guy"'s (FOAF's?) (X)HTML code is
> not Valid markup already, which is what should be changed first; it is
> entirely possible that "magically" everything "fixes" by itself then.
>
> <URL:http://validator.w3.or g/>
>
>
> PointedEars[/color]