>> there might be hidden input fields, [...]
> Ah - I think I may have spotted something. The actual <form> tag at
> the start contains an 'authenticity token':
[reformatted for readability]
> <form class="new_user" id="new_user" action="/users/login"
> accept-charset="UTF-8" method="post">
> <input name="utf8" type="hidden" value="✓"/>
> <input type="hidden" name="authenticity_token" value="VfGGu3jwjsf6xNQmlmuu3Qkgc1BsZzgu0ikhluwqmVHU9RFVQQUUANuaza9HFgXr_c71SiKwBLz8XA8bQ4hSOA"/>
> [...]
> </form>
There's also that "utf8" field. Amusingly, U+2713, from the Dingbats
range, is CHECK MARK. Of course, who knows what the server would do if
that field weren't there or had a different value, such as maybe U+2718
(an X mark, called HEAVY BALLOT X) or U+00AC (NOT SIGN)....
> And this value is different for every copy of the page served, which
> presumably means that it is, by design, impossible for anyone to log
> in 'blind' with user name and password alone....
Likely. Quite possibly done as a defense against automated
password-guessing bots. Unfortunately, with the current state of
Internet governance, such defenses are close to essential.
The token looks like URL-safe base64. Decoding it under that
assumption produces random-looking binary data, so I suspect it is (as
should be) being done with proper crypto.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
netsurf-users mailing list -- netsurf-users@netsurf-browser.org
To unsubscribe send an email to netsurf-users-leave@netsurf-browser.org
No comments:
Post a Comment