I'm working on an android app that on buttonpress fills out the form data on a website, submits those and returns the response in a webview.
I tried many solutions based on all input elements the website expects.
I also did record the network activity in chrome's developer tab when I submit manually, tested it with only those parameters, and even imported the .har in POSTMAN.
Whenever I try to recreate the submissions either via POSTMAN or via cURL, I'm getting the 403 Forbidden Errors, no matter if I use POST or OPTIONS..
I'm guessing I am missing a Session Cookie or something equivalent.
Frankly I'm fairly new to this topic.
How would I generally go about automating the filling and submitting of forms on a website while still retrieving the response in a viewable format (e.g. to be able to manually enter the captcha)?
The URL in question is this btw: https://subwayrewards.de/register
Related
Okay, weird, weird question time. I have an Android app that submits data to the server using a form POST to an ASP page. Well, at least it SHOULD. I actually have 2 domains. Let's say they are: MySite.com and MySiteBeta.com.
When I use the Android app and post to MySite.com the form data is received without any problems. When I modify the app to post to MySiteBeta.com the form data is not received. (No changes to the code except the domain name) Mind you, there are no errors recorded in the page - and execution continues past where any error should have occured. But, no form data is present. I'm looping through the Request.Form object just to be sure, and nothing is there. Also, if I just create another ASP page to send this form data, everything works fine. So, it doesn't seem to be anything with the ASP page itself.
What could cause an Android app to work when posting to one domain but not another? NOTE: The files on the server are the same. I'm assuming it may be some sort of permissions in the ASP setup (running IIS8)? Not sure.
I'm sending an httppost request to a web site (asp) and I'm trying to find a table in the HTML source by using EntityUtils.toString(httpEntity, "UTF-8") but I can't find the table that I'm looking for.
BUT, when I'm clicking on inspect element in chrome for the same web page I can see a whole new world which contains my table and a lot more.
Is there a way to get the same raw data as in Chrome's inspect element in an android app?
Chrome handles cookie and session management automatically, along with typical connection management aspects (eg: cache, keep alive, etc)
Make sure your android app is making the http post request with all the necessary headers, cookie/session, and input parameters.
You can use chrome dev tools to capture and see the full request/response detials. See if its sending any cookie information to the server. If so, you will need to modify your android app to do the same.
(I'm asking this partly for learning purposes, I realize what I'm trying to do might be entirely wrong!)
I have a php file on my website that handles log in and sets a cookie for the user if log in is successful. if setcookie() fails, I error out instead of displaying the rest of the page.
When I try to access this page using my android app (which uses HttpURLConnection with POST), the setcookie() fails. I'm guessing this is because the client isn't a browser and can't handle cookies.
so first of all, is there away for my app to be able to receive cookies from the server and store them? if not, how do you handle maintaining a login session with the user so you dont have to send a username and password, every time you want to access data from the server?
THanks
A couple of notes before the workaround:
The function is called setcookie() not set_cookie()
Android browsers do support cookies afaik, so you probably should look into this further. Perhaps the format of your setcookie call is not valid?
If you can't use cookies, then the workaround is to simulate your own session mechanism by passing your cookie value as a url parameter on every request.
I have a new project involving the build of an Android app for a website of a hiking club. The website has a login functionality after which the user can browse through available hikes, subscribe to a hike, view the other subscribers, contact the organizer etc.
The original site is based on a MySQL database with a front end of .asp pages. Most data is passed through the pages as GET parameters on the query string.
New to Android development, some things really puzzle me, even after reading several tutorials. I am thinking towards an architecture baes on REST webservices but there a several obstacles to overcome and chooses to be made.
Apart from using REST, some other options are available:
Call the original .asp pages from the app instead of building a dedicated Web service. This leaves me with much less code to write, the original business logic (queries e.a.) as well as the login system can be used (with the "remember me" functionality based on cookies). Downside is that the (X)HTML code in the response needs to be parsed to show in the app GUI, where the majority of the response code is useless ballast code. Also, it does not feel very good from an archtitectorial point of view.
Using a SOAP based webservice. I am totally unfamiliar with SOAP and it appears to be much too heavyweight for a mobile device.
Using REST services. I am leaning towards this option, and have made
some already working services using the SLIM framework. But there
are some problems. First, REST is stateless by definition and does
not seem to support sessions. But the "Remember me" option is
required for the app after login in for the first time, the user
needs not to login again unless he explicitly logs out.
But how can we achieve that?
First option is to designing some completely client-site login/logout system which saves the credentials locally until the user logs out. And sending the credentials with each request to the Web service as POST parameters, or somehow in the HTTP Authorization request header, though I am not familiar with that.
Second option is to deviate a bit from RESt principles and use a session mechanism anyway. After sending the credentials to the web service, a cookie is created and send to the client app. The dartabase cannot be extended so there is no option to save a token in the user table. Maybe the usernae/password can be encrypted and send as a cookie to the app, and decrypted at each subsequent request?
I am a bit lost in this, and look forward to serious suggestions!
I believe that from a long term perspective, it is important that you lean towards REST Interfaces. While JSoup and/or WebView approaches will definitely work, it is important to have the flexibility to redefine/design the mobile application in ways that are completely agnostic of the Server side. REST will help you there and you do not need to play catch up with the Server side, everytime they change the HTML pages, etc.
Going REST will also help in future with writing additional mobile applications and even on different platforms like iOS, if your roadmap contains that.
You can use jsoup to parse the html pages from your Android app and reorganize the information of the web page, this option will gives you ability to quickly develop an App, later you may think on add REST interfaces to your web site and populate data in json.
You can also use WebView to laod your web pages if you don't want to parse html pages.
I suggest you using REST architecture as you said. You can use a rest client library for Android as RESTDroid, take a look to the guide because there is a implementation example with special header needed for the particular web service used (Parse.com in this case).
I just can't get my head straight about this one. I'm currently building a rather large-scale application on Android. I've run in to a couple of problems regarding security and authentication though...
The Scenario:
I have an application that's making calls through HTTP (will implement SSL later) to a server running PHP and MySQL. Of course i want to use the existing user-database, so migration to another DB is not a solution..
I've managed to create the "register users via Android to the server"-functionality.
I've also made a working login, BUT this is where the problems start.
As users in the Android application I'am working on adds, edits, deletes and sync stuff on the server via/to the application, things get rather complicated. A little too complicated for me it seems :)
Problems:
As I get the result from my server-side login and pass it from the
server to Android via JSON, the connection dies and server-side I
'aint logged-on (sessions dies) whereas on the phone I'am. How can I
make the log-on persistent both on the server and in Android without
the need to log-on again? So that subsequent calls from Android to
the server is made with the same user, still authenticated. I.e. I
want sort of a one-time login ('till I logout) like in the
Spotify-app (and many others).
If I've understood things right, implementing SSL correct makes it
possible to send passwords in clear text to the server without the need to hash them first. Is this correct?
I just can't stop thinking about the fact that a MIM-attack would compromise any unique id I send from Android to the server. My first thought was to have the UID on the Android device as a "key" to the server after a successful log-on. But if that key gets in the wrong hands, the user associated with that UID will be compromised. I've looked at the AccountManager on Android but it seems rather over-kill in my case.
If someone could supply examples or at least guidelines, I'd be much grateful!
Thanks in advace!
ADDED SOLUTION DIAGRAM AFTER EDIT
Notice that this diagram shows the first start of the application. Later startups will NOT show the Login / Register form, but use the DUT instead.
// Alexander
Issue some form of a short-lived authentication token to Android apps. They would need to pass it in every request, and you will check it your Web app. Breaking the connection doesn't end the session, if it does, you have bug in your Web app: fix it. In Android, as long as you are using the same HttpClient instance, it will continue to use the same session, nothing special is needed.
Whatever you do, do not put off implementing SSL, do it now.