Home > Software design >  Python requests ajax form authentication issue
Python requests ajax form authentication issue

Time:12-20

I have seemed to be an obvious problem, login to a website programmatically and then get data when authenticated.

I've been reading StackOverflow for a few days and can't find a working solution.

Here is the login form, which is also accessible using a separate URL and after logging in via browser it redirects to the home page:

<strong >i  aria-hidden="true"></i>Login</strong>
<div >
    <form action="https://test.com/login/" data-form="ajax" method="post">
        <div >
        </div>
        <div>
            <div >
                <label for="login_username" >Username</label>
                <input type="text" name="username" id="login_username" 
                    placeholder="Enter your username" />
                <div ></div>
            </div>

            <div >
                <label for="login_pass" >Password</label>
                <input type="password" name="pass" id="login_pass"  placeholder="Enter your password" />
                <div ></div>
            </div>

            <div >
                <div  style="padding-left: 0;">
                    <input type="checkbox" name="remember_me" id="login_remember_me"  value="1" checked />
                    <label for="login_remember_me">remember me</label>
                </div>
                <div  style="padding-right: 0px;">
                    <a href="https://test.com/reset-password/" data-fancybox="ajax">Forgot password?</a><br />
                    <a href="https://test.com/resend-confirmation/" data-fancybox="ajax">Missing confirmation email?</a>
                </div>
            </div>

            <div >
                <input type="hidden" name="action" value="login" />
                <input type="hidden" name="email_link" value="https://test.com/email/" />
                <input type="submit"  value="Log in" />
            </div>
            <div >
                <span >Not a member yet? Sign up now for free!</span>
            </div>
            <div >
                <a href="https://test.com/signup/"  data-fancybox="ajax">Sign up</a>
            </div>
        </div>
    </form>
</div>

Here is the Python code I've tried:

payload = {
   'username': 'mylogin',
   'pass': 'mypass'
}

with requests.Session() as s:
    r = s.post('https://test.com/login/', data=payload)
    r = s.get('https://test.com/testpage/')

Same logic in PowerShell:

$payload = @{
   username = 'mylogin'
   pass = 'mypass'
}

$r = Invoke-RestMethod 'https://test.com/login/' -Method POST -Body $payload -SessionVariable 'Session'
$r = Invoke-WebRequest -Uri "https://test.com/testpage/" -WebSession $Session

But none of the above is working, I'm still getting results for non-authenticated user.

CodePudding user response:

Here is a working example using one of my Django sites and a demo login account.

requests.Session() is used to manage the cookies. In order to make it work, I had to explicitely manage the header content such as adding the Referer before posting the login.

import requests
import re

base_url = 'https://www.archery-analytics.com/en/'

# use session object to manage cookies and headers
s = requests.Session()
s.headers.update({
    'Host': 'www.archery-analytics.com',
    'Origin': 'https://www.archery-analytics.com',
    })

# get login form and cookies
r1 = s.get(base_url   'public/home')
print(r1.status_code, r1.url)

# add Referer to header
s.headers.update({
    'Referer': r1.url,
    })

# get csrf token of form (= hidden input element of login form)
reggie = re.compile(rb".*name=\"csrfmiddlewaretoken\" value=\"(?P<csrf>\w )\".*")
match = reggie.findall(r1.content)

# login data for demo account
payload = {
    'username': 'RyngDyng',
    'password': '123demo123',
    'login': '',
    'csrfmiddlewaretoken': match[0].decode("utf-8")
}

# login post
r2 = s.post(base_url   'global/login', data=payload)
print(r2.status_code, r2.url)

# check successful login
if r2.status_code == requests.codes.ok:

    # test logged in: access to page for editing user profile
    r3 = s.get(base_url   'global/edit_profile')
    print(r3.status_code, r3.url)
    
    
    # logout
    r4 = s.get(base_url   'global/logout')
    print(r4.status_code, r4.url)

Output:

200 https://www.archery-analytics.com/en/public/home
200 https://www.archery-analytics.com/en/public/home
200 https://www.archery-analytics.com/en/global/edit_profile
200 https://www.archery-analytics.com/en/public/home
  • Related