java – JSoup POST request – authorization problems

Question:

The task is to write an android client to work with this section of the site http://91.200.160.20/search.php . However, I just can't log in to it. The jsoup library is used. So, to form a post-request, we have:

<form action="alogon.php" id="loginform" method="POST">
  <table border="0" cellpadding="0" cellspacing="0">
    <tr>
      <td width="158">
        <table width="100%" border="0" cellpadding="0" cellspacing="0">
          <tr>
            <td>
              <div>
                <label for="loginEnterToSite" class="labelLogin">№ читательского билета</label>
                <input name="id" value="" id="loginEnterToSite" type="text" style="width:143px;height:15px;">
              </div>
            </td>
          </tr>
          <tr>
            <td>
              <div>
                <label for="passwordEnterToSite" class="labelPass">ПИН - код</label>
                <input name="user_pass" id="passwordEnterToSite" value="" type="password" style="width:63px;height:15px">
              </div>
            </td>
          </tr>
        </table>
      </td>
      <td width="41">
        <input type="image" name="submit" src="menu/loginimage/sup5.gif" style="border-style:none">
      </td>
    </tr>
    <tr>
      <td colspan=2>
        <input type=checkbox name=remember>Запомнить &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a class='all_1' href="javascript:void(0);" onmouseover="Tip('<font color=#FF0000><b>Паролем является PIN код.</b></font><br><br>При утрате PIN кода необходимо обратиться в отдел &laquo;Учета и регистрации&raquo;.<br><br>Если у Вас нет PIN кода, то в качестве пароля можно использовать<br>первые буквы фамилии имени и отчества.<br><br>Например, читатель Iванов Євген Іванович,<br>читательский № 1234567 вводит номер Ч.Б. -<b><font color=#FF0000>1234567</font></b>, пароль - <b><font color=#FF0000>ІЄІ</font></b>', SHADOW, true, SHADOWWIDTH, 4, SHADOWCOLOR, '#007FFF')"
        onmouseout="UnTip()">Напомнить&nbsp;пароль</a>
      </td>
    </tr>
  </table>
</form>

When registering with a browser, this is what happens in the headers:

>**General**  
>Request URL:ttp://91.200.160.20/alogon.php  
>Request Method:POST  
>Status Code:302 Found  
>Remote Address:91.200.160.20:80  
>**Response Headers**  
>Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
>Connection:Keep-Alive  
>Content-Encoding:gzip  
>Content-Length:20  
>Content-Type:text/html  
>Date:Thu, 09 Jun 2016 22:46:02 GMT  
>Expires:Thu, 19 Nov 1981 08:52:00 GMT  
>Keep-Alive:timeout=5, max=100  
>Location:userpage.php  
>Pragma:no-cache  
>Server:Apache/2.2.22 (Debian)  
>Set-Cookie:login=43750; expires=Sat, 09-Jul-2016 22:46:03 GMT  
>Set-Cookie:pass=73a39915788ab7f0e842fa37f8536c72; expires=Sat, 09-Jul-2016 22:46:03 GMT  
>Set-Cookie:pc_id=1805; expires=Fri, 09-Jun-2017 22:46:03 GMT  
>Vary:Accept-Encoding  
>X-Powered-By:PHP/5.4.4-14+deb7u7  
>**Request Headers**  
>Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
>Accept-Encoding:gzip, deflate  
>Accept-Language:uk,ru;q=0.8,en;q=0.6  
>Cache-Control:max-age=0  
>Connection:keep-alive  
>Content-Length:63  
>Content-Type:application/x-www-form-urlencoded  
>Cookie:PHPSESSID=2m26kdulqifq2tjt77fiihc8g5; pc_id=1805  
>Host:91.200.160.20  
>Origin:ttp://91.200.160.20  
>Referer:ttp://91.200.160.20/search.php  
>Upgrade-Insecure-Requests:1  
>User-Agent:Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 YaBrowser/16.4.1.8949 Safari/537.36  
>**Form**  
>id:-----  
>user_pass:------  
>submit.x:20  
>submit.y:9  
>remember:on  

In fields with links "http" has been changed to "ttp" due to lack of reputation.

The code used to authorize and receive cookies:

Connection.Response loginGet = Jsoup.connect("http://91.200.160.20/search.php")
                    .method(Connection.Method.GET)
                    .execute();

            Connection.Response loginPost = Jsoup.connect("http://91.200.160.20/alogon.php")
                    .data("id",mLog)
                    .data("user_pass",mPassword)
                    .data("submit.x", "27")
                    .data("submit.y", "13")
                    .data("remember", "on")
                    .cookies(loginGet.cookies())
                    .userAgent("Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 YaBrowser/16.4.1.8949 Safari/537.36")
                    .referrer("http://91.200.160.20/search.php")
                    .method(Connection.Method.POST)
                    .execute();

            Log.d("ex","loginPost" + loginPost.cookies());
            Log.d("ex","loginGet" + loginGet.cookies());

When outputting cookies to logs, this is what I get:

 D/ex: loginPost{login=deleted, pass=deleted}
 D/ex: loginGet{PHPSESSID=t21o83o1336qk5ea4mhf2var27, pc_id=2185}

I can't figure out why I write login = deleted and pass = deleted. Could this be because the password is a combination of Cyrillic characters? If so, can you tell me how you can get around this? And if not, what could cause such a problem and what am I doing wrong?

Answer:

Probably no one needs it, but suddenly. Here is a tried and tested solution:

Connection.Response loginPost = Jsoup.connect("http://91.200.160.20/alogon.php")
                .data("id", login)
                .data("user_pass", password)
                .cookies(loginGet.cookies())
                .userAgent("Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 YaBrowser/16.4.1.8949 Safari/537.36")
                .referrer("http://91.200.160.20/search.php")
                .method(Connection.Method.POST)
                .postDataCharset("windows-1251")
                .execute();

It is .postDataCharset("windows-1251") fixes the error.

What's the matter: To send data in a POST request, they must first be encoded in a URL form (the so-called URL encoding ). This turns your Russian password into %C1%C0%D0 . (You can see this in the body of your browser request when authorizing)

When you make a GET request for /search , the header's Content-Type is text/html; charset=windows-1251 , which hints to the browser to continue communicating with the server in win1251 encoding, which it uses to encode your password as a URL.

However Jsoup doesn't know this and uses the standard utf-8 . And in utf-8, Russian is encoded differently. Thus, by explicitly specifying the encoding, the password is encoded correctly and the server approves the authorization.

Scroll to Top