documentation:2.1:formreplay

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:formreplay [2019/01/15 15:55] (current)
Line 1: Line 1:
 +====== Form replay ======
 +
 +===== Presentation =====
 +
 +Form replay allows you to open a session on a protected application by filling a HTML POST login form and autosubmitting it, without asking anything to the user.
 +
 +<note warning>
 +This kind of SSO mechanism is not clean, and can lead to problems, like local password blocking, local session not well closed, etc.
 +
 +Please always try to find another solution to protect your application with LL::NG. At least, check if it is not a [[applications|known application]], or [[selfmadeapplication|try to adapt its source code]].
 +</note>
 +
 +If you configure form replay with LL::NG, the Handler will detect forms to fill, add a javascript in the html page to fill form fields with dummy datas and submit it, then intercept the POST request and add POST data in the request body.
 +
 +POST data can be static values or computed from user's session.
 +
 +<note tip>
 +To post user's password, you must enable [[passwordstore|password storing]]. In this case you will be able to use ''$_password'' to fill any password POST field.</note> 
 +
 +===== Configuration =====
 +
 +You should grab some information:
 +  * URI of the html page which contains the form
 +  * URI the html form is sent to
 +  * Does the html page load jQuery ? If not, grab a jQuery URL reachable by user (any version over jQuery 1.0 is suitable)
 +  * are there several html forms in the page ? If so, get a jQuery selector for the form you want to post
 +  * is user required to click on a button, for example in order to perform some script ? If so, get a jQuery selector for that button
 +  * names and values of the fields you want to control
 +If you don't know jQuery selector, just be aware that they are similar to css selectors: for example, button#foo points to the html button whose id is "foo", and .bar points to all html elements of css class "bar".
 +
 +For example:
 +  * Form page URI: /login.php
 +  * Target URI: /process.php (if you let this parameter empty, target URI is supposed to be the same as form page URI)
 +  * jQuery URL: <nowiki>http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js</nowiki> (if you let this parameter empty, jQuery is supposed to be already loaded; you can also set ''default'' to point to jQuery URL of LL::NG portal)
 +  * jQuery form selector: #loginForm (if you let this parameter empty, browser will fill and submit any html form)
 +  * jQuery button selector: button.validate (if you let this parameter empty, the form will be submitted but no button will be clicked; if you set it to "none", no button will be clicked and the form will be filled but not submitted)
 +  * Fields:
 +    * postuid: $uid
 +    * postmail: $mail
 +    * poststatic: 'static'
 +
 +Go in Manager, "Virtual Hosts" » //virtualhost// » "Form replay" and click on "New form replay".
 +
 +{{ :documentation:manager-form-replay.png?nolink |}}
 +
 +Fill values here:
 +  * **Form URL**: /login.php
 +  * **Target URL**: /process.php
 +  * **jQuery URL**: <nowiki>http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js</nowiki>
 +  * **jQuery form selector**: #loginForm
 +  * **jQuery button selector**: button.validate
 +
 +Then click on ''New variable'' and add all data with their values, for example:
 +
 +{{ :documentation:manager-form-replay-vars.png?nolink |}}
 +
 +<note tip>You can define more than one form replay URL per virtual host.</note>