cURL / Mailing Lists / curl-users / Single Mail


Re: https, redirection and authentication using POST

From: Ralph Mitchell <>
Date: Fri, 30 May 2003 00:13:24 -0500

David Withnall wrote:

> This has got to be the wierdest damn site i've seen (but living in Oz I understand that Tel$tra is full of strange people).
> To get into the site you need to do it in 2 stages
> The first one you've almost got correct, you go there, but send no post data.
> After that connection has run through the numerous redirects and gathered all the cookies and wotnot that bigpond issue to you.
> Then I think you go to here - the form is actually submitted using java script, not a standard form action command.
> with the following post data (Once the password form has loaded, look at the source and you'll see all of these)
> SMENC=ISO-8859-1
> target=,_AUTH_REDIR=
> smauthreason=0
> retrytext=Invalid Username or Password
> and that should get you in. I Think. it's a bit confusing because of all the redirects, javascript and other garbage they've got on the site.

Yay, SiteMinder!! I'd recognise those grubby fingerprints anywhere... :)

To be fair to Telstra, it's probably not their redirects, javascript and such. They're just using SiteMinder to handle the logins and authentication.

And yes, I've been beating my head on a couple of sites like this one. Most recently, one that is handling multi-lingual clients by having a rather large javascript function that loads up variables with character strings (and even the input tag for the submit!) and then document.write's them out. The submit function loads up a form variable from several others, assembles the action url from somewhere and then posts.

I hates it, I does... :)

Ralph Mitchell

This email is sponsored by: eBay
Get office equipment for less on eBay!
Received on 2003-05-30