Last post Jun 15, 2012 11:52 AM by _wakamohle
Jun 14, 2012 03:59 PM|_wakamohle|LINK
I'm currently the webmaster of a travel agency site (call it http://www.myagencyweb.com) which uses aspx functionality.
This website has a page to review some promotions of the agency's partners (http://www.myagencyweb.com/partners.aspx)
The partners.aspx page has links to each partner's website, and each page uses different technology (asp, php, etc), but all of them need login data to access the promotions. Te login data is different for each partner's website, but I already have all
the logins I need.
The problem is that I've been asked to find a way to make our links on http://www.myagencyweb.com/partners.aspx to
autologin on the different partner's websites, so the user can browse them without "seemlessly" going out of our site
I've already tried writing the POST variables as shown in http://forums.asp.net/t/1364414.aspx/1?HttpWebRequest+and+HttpWebResponse+question but
I can only get the HTML of the partner's logged in page (when I'm lucky, when not I get a 500 server error). Anyway, I cannot interact with the page because the URL remains on the myagencyweb.com domain.
I guess there's a way to do this session transfer, like when we login to hotmail and then we go to the skydrive domain, and then we can go to the microsoft.com domain and it still recognizes our session... well, just guessing.
I'll make more research on this, but anyway, I hope you can help me.
Thanks in advance
Jun 15, 2012 12:31 AM|tinmgaye|LINK
Sounds like "form hijacking"
So my advice is to hand shake with your partner sites. And create login session by having one time authentication token via request query.
Hope this helps.
Jun 15, 2012 11:52 AM|_wakamohle|LINK
Thank you tinmgaye,
Yes, I realized that since the moment I heard it... Felt like a spammer
I was just wondering if there was a way of making it without hijacking the form, because my intention is not to attack the site, I already have the login data and I just wanted to save the
exhausting work of entering the login data to the client... anyway... I guess that's what a spammer would say
I found only one of our partners to have their site prepared to receive login data by query string
Nevermind... I hope not to lose my job for this