3

I use Requests (2.2.1) to login a url http://tx3.netease.com/logging.php?action=login, but the login logic of this url is different from Django's csrf token mechanism, that is:

  1. When you GET this url, there is two import values formhash and sts in html text, both of which will be used in a js function do_encrypt (in file http://tx3.netease.com/forumdata/cache/rsa/rsa_min.js). This is fine, I can easily grab them via re.

The key part of html text is:

<form method="post" name="login" id="loginform" class="s_clear" onsubmit="do_encrypt('ori_password','password');pwdclear = 1;" action="logging.php?action=login&amp;loginsubmit=yes">
<input type="hidden" name="formhash" value="91e54489" />
<input type="hidden" name="referer" value="http://tx3.netease.com/" />
<input type="hidden" name="sts" id="sts" value="1409414053" />
<input type="hidden" name="password" id="password" />
...
<input type="password" id="ori_password" name="ori_password" onfocus="clearpwd()" onkeypress="detectCapsLock(event, this)" size="36" class="txt" tabindex="1" autocomplete="off" />
...
</form>

2. After entering email and original password ori_password, clicking submit button will call do_encrypt, which will use formhash, sts and ori_password to set the real password password for the post dict. Problem comes out -- There seems no way to get password string directly. (For contrast, you can directly get csrfmiddlewaretoken from session_client.cookies['csrftoken'] in Django case)

This is the code:

import requests
import json
import re

loginUrl = "http://tx3.netease.com/logging.php?action=login"

client = requests.session()

r = client.get(loginUrl)
r.encoding='gb18030'

stsPat = re.compile('<input type="hidden" name="sts" id="sts" value="(\d+?)" />')
formhashPat = re.compile('<input type="hidden" name="formhash" value="([\d\w]+?)" />')

sts = stsPat.search(r.text).groups()[0]
formhash = formhashPat.search(r.text).groups()[0]


loginData={
    'username'  : "smaller9@163.com",
    'password'  : ..., # Set by js function do_encrypt
    'referer':'/',
    'loginfield':'username',
    'ori_password':'', # it's `111111`, but `do_encrypt` will set it to empty.
    'loginsubmit':'true',
    'sts':sts,
    'formhash':formhash,
    }
# r = client.post(url=loginUrl,data=loginData)
xiang
  • 393
  • 3
  • 14
  • 5
    You'll either have to execute the JS with a JS engine *or* reimplement the same logic in Python. Neither of which `requests` can help you with. – Martijn Pieters Aug 30 '14 at 17:14

1 Answers1

4

Assuming you have permission to do so, try logging in with selenium as i think that will be more inline with what you are ultimately trying to do.

from selenium import webdriver

USERNAME = "foo@bar.com"
PASSWORD = "superelite"

# create a driver
driver = webdriver.Firefox()

# get the homepage
driver.get("http://tx3.netease.com/logging.php?action=login")

un_elm = driver.find_element_by_id("username")
pw_elm = driver.find_element_by_id("ori_password")
submit = driver.find_element_by_css_selector("[name=loginsubmit]")

un_elm.send_keys(USERNAME)
pw_elm.send_keys(PASSWORD)

# click submit
submit.click()

# get the PHPSESSID cookie as that has your login data, if you want to use
# it elsewhere
# print driver.get_cookies():

# do something else ...
Victory
  • 5,811
  • 2
  • 26
  • 45
  • Thanks a lot. Your method helps me to successfully login! Now I will try to make it work with `Requests`'s session :-) – xiang Aug 31 '14 at 02:54