3

I'm trying to log into an https website with my Android app. The website returns a response code of 302 if the log in was successful and 200 if the log in was unsuccessful. I've researched how to use AndroidHttpClient and looked at examples, but I haven't been able to see any difference between my code and theirs. No matter what username and password I send to the website, I get a response code of 200 back -- even if the combination is correct. Do I have to do something special since the website uses secure http? Here is my code. I really appreciate any help.

public void login(String url, String username, String password){
  CookieStore cookieStore;
  HttpContext httpContext;
  HttpGet httpGet;
  HttpResponse httpResponse;
  HttpPost post;
  AndroidHttpClient httpClient;

  cookieStore = new BasicCookieStore();
  httpContext = new BasicHttpContext();
  httpContext.setAttribute(ClientContext.COOKIE_STORE, cookieStore);
  httpClient = AndroidHttpClient.newInstance("Android");
  List<NameValuePair> params = new ArrayList<NameValuePair>();
  params.add(new BasicNameValuePair("name", username));
  params.add(new BasicNameValuePair("pass", password));
  params.add(new BasicNameValuePair("form_id", "user_login"));

  httpGet = new HttpGet(url); 
  post = new HttpPost(url);
  try {
    post.setEntity(new UrlEncodedFormEntity(list, HTTP.UTF_8));
    httpResponse = httpClient.execute(httpGet, httpContext);
  } catch (ClientProtocolException e) {
    e.printStackTrace();
  } catch (IOException e) {
    e.printStackTrace();
  }
   Log.i("My App", httpResponse.getStatusLine().getStatusCode());
}
Cole119
  • 63
  • 1
  • 9
  • Response code 200 is whe you HTTP connection is successful, it won't check that you are logged in or not. So if your connection is successful it will return 200 only.. – Lalit Poptani Oct 06 '11 at 02:37
  • Does this particular site redirect to a login page instead of returning 302 perhaps? (Related: http://stackoverflow.com/questions/199099/how-to-manage-a-redirect-request-after-a-jquery-ajax-call) – Kevin Stricker Oct 06 '11 at 02:40
  • @Lalit Poptani Do you know why it gives me a response code 302 when I use javax.net.ssl.HttpsURLConnection? Also, I'm pretty sure I'm not getting a cookie to log me in when I get a 200 response. It's like it just ignores the log in request and just pulls up the log in page. – Cole119 Oct 06 '11 at 02:43
  • @mootinator I'm actually sending the login request to the log in page, so it doesn't redirect. – Cole119 Oct 06 '11 at 02:44
  • If you get redirected back to the log in page at all when entering incorrect credentials rather than getting an error page, it's the same thing. – Kevin Stricker Oct 06 '11 at 02:46
  • @mootinator Yeah, what I mean is I'm getting 200 even when the login credentials are correct. – Cole119 Oct 06 '11 at 02:48
  • Right, I have it backwards. Could be the same basic problem though (302 not being exposed to the client because it's a redirect, so you only get the 200 from the target) – Kevin Stricker Oct 06 '11 at 02:52
  • @mootinator I just tried looking at the current url after sending the log in request and it's still the login page, so I'm pretty sure the log in is failing somehow. Normally, if the log in is successful, it will redirect to the homepage. Thanks for the idea, though. I hadn't thought of that. – Cole119 Oct 06 '11 at 03:04

1 Answers1

0

You should use POST instead of GET because GET will automatically handle the redirect, but:

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

Reference: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Edit: On further inspection, it looks like the KVP were being passed into the HttpPost but the HttpGet was being used for the request, so the username/password wouldn't have been passed to the server at all.

Sometimes overthinking things does lead one in the right direction though

Sathyajith Bhat
  • 21,321
  • 22
  • 95
  • 134
Kevin Stricker
  • 17,178
  • 5
  • 45
  • 71
  • Not a droid or java developer but I was going by: `httpGet = new HttpGet(url);` and `httpResponse = httpClient.execute(httpGet, httpContext);` (and not using your `post` variable in the request.) – Kevin Stricker Oct 06 '11 at 03:07
  • Oh wow you're correct! Haha I looked at so many examples on the web that I must've mixed up different parts and used get instead of post. Thank you so much! – Cole119 Oct 06 '11 at 03:12