1

I am trying to get past the authentication challenges for a particular API service using Python Requests. I have already tried BasicHTTP and other default auth methods. So I am trying to send in the username and password via form data.

Here is what Chrome DevTools reveals when I succesfully login manually (let me know if you need more data from DevTools):

Request Method:POST
Status Code:302 Found

Form Data
__LASTFOCUS:
__EVENTTARGET:
__EVENTARGUMENT:
__VIEWSTATE: <hashed stuff>
__VIEWSTATEGENERATOR:7A06DDCB
__SCROLLPOSITIONX:0
__SCROLLPOSITIONY:0
ctl00%24MainContentPlaceHolder%24MainLogin%24UserName:<usernamecleartext>
ctl00%24MainContentPlaceHolder%24MainLogin%24Password:<passwordcleartext>
ctl00%24MainContentPlaceHolder%24MainLogin%24RememberMe:on
ctl00%24MainContentPlaceHolder%24MainLogin%24LoginButton:Log+In+%3E

Here is my code:

import requests

url='<theloginurl>'

payload = {
    'ctl00$MainContentPlaceHolder$MainLogin$UserName':'<usernamecleartext>',
    'ctl00$MainContentPlaceHolder$MainLogin$Password':'<passwordcleartext>'
}

r = requests.post(url, data=payload)
print(r.url)
print(r)
print(r.headers)

And even if I include the other two form items DevTools reports in my payload dictionary, the result is the same.

Dwight J. Browne
  • 378
  • 2
  • 9
Terry Graham
  • 23
  • 6
  • The `__VIEWSTATE*` entries need to be included as well; you need to parse them from the form first. – Martijn Pieters Dec 11 '14 at 17:23
  • Thank you for pointing me in the right direction. It seems that this being an asp.net form may be one of the keys. Since I am learning the requests library, I found a similar issue with an effort to solve using requests here: http://stackoverflow.com/questions/24975955/sending-an-asp-net-post-with-pythons-requests But I am still confused about where the viewstate values are coming from in the first place. When I visit the site manually, it is a first a get request. But I can't find those values in DevTools at all. Then a post is sent and the values are suddenly present. Confused?? – Terry Graham Dec 11 '14 at 19:51
  • If not part of the page then it is set by JavaScript code based on other info in the page or in headers (inc cookies). – Martijn Pieters Dec 11 '14 at 20:00
  • So I won't find it in DevTools then? – Terry Graham Dec 11 '14 at 20:03
  • I don't know; although I answered that other question I have not analysed an ASP.NET login form in detail. – Martijn Pieters Dec 11 '14 at 20:06
  • Ok. Sorry for the confusion and thank you for the help. I was hoping to better understand the process and what is going on, not just copy code. This is why I was trying to stay within a single library. As soon as I introduce urllib and/or urllib2, I get really confused as to what is happening. – Terry Graham Dec 11 '14 at 20:09
  • Right, the other question you linked to (the one I answered) uses `requests` to do the same thing; it's all just sending headers and a POST body (which is easier with `requests` than it is with `urllib` but the differences are not that big). – Martijn Pieters Dec 11 '14 at 20:15
  • I got it now! Thank you! – Terry Graham Dec 11 '14 at 20:42

0 Answers0