documentation:1.1:formreplay

Form replay

Form replay allows you to open a session on a protected application by replaying the form POST without asking anything to the user.

This kind of SSO mechanism is not clean, and can lead to problems, like local password blocking, local session not well closed, etc.

Please always try to find another solution to protect your application with LL::NG. At least, check if it is not a known application, or try to adapt its source code.

If you configure form replay with LL::NG, the Handler will catch configured POST URL and send a POST query to the target page (which can be different of the caught page). Each field can be filled with static values or data from user's session.

To post user's password, you must enable password storing. In this case you will be able to use $_password to fill any password POST field.

LL::NG can catch a GET request and transform it internally in a POST request. All this work is transparent for the user, he cannot see what data are posted by LL::NG.

You should grab some informations:

  • URI of the page which contains the form
  • URI of the page which receive POST data (optional if it is the same as the page holding the form)
  • All fields name and values

For example:

  • Form page URI: /login.php
  • POST data URI: /process.php
  • Fields:
    • login: $uid (uid of the user)
    • password: $_password (password of the user)
    • static: 'StaticValue' (a static value)
    • remember: '1' (checked box)

Then go in Manager, Virtual Hosts » virtualhost » Form replay and click on Add POST URL.

Fill values here:

  • POST URL: /login.php
  • Target URL: /process.php

Then click on New POST data and add all data with their values, for example:

You can define more than one form replay URL per virtual host.

Due to a conflict between LL::NG form replay and Apache mod_proxy (see issue), you cannot use form replay on proxied applications, unless you use LL::NG internal proxy (based on Perl LWP):

<VirtualHost>
  ServerName test2.example.com
 
  PerlHeaderParserHandler My::Package
 
  PerlModule Lemonldap::NG::Handler::Proxy
  SetHandler perl-script
  PerlHandler Lemonldap::NG::Handler::Proxy
  PerlSetVar LmProxyPass http://APPLICATION/
  PerlSetVar LmLocationToReplace http://APPLICATION/,http://test2.example.com
</VirtualHost>