Using node. js to realize the login of simulated session verification

1. Authentication and User Login

In the general Web application, it is assumed that to realize the user login, most often used, but also the simplest way is to use the session, the main idea is to retain some user identity information in the session, and then each time in the session, assuming that the information is wrong or does not exist, then authentication failed, Correct is successful.

The session and cookie are two very similar things, are strings, only the session is stored on the server, and the cookie is stored locally, so the cookie is not used for authentication. The session Name Incredibles, must be related to the client and the server established between the sessions, the session is the same as the work process, each time the client and the server on a Web site to establish a session, will be generated sessions on the server, Only if there is no relevant information in the session, it depends on the user's submission operation.

The session is differentiated according to the server to the SessionID to carry out, different kinds of serversessionid different, the following list of several sessionid:

① using ASP. IISserver:ASP.NET_SessionId

② using Java's Tomcatserver:jsessionid

The authentication process using the session:

A server with session support is enabled to generate a SessionID when the client starts a session, and a cookie is set in the Set-cookie field in the response (Response) header (Headers). The content of the cookie is the path of the SessionID and the cookie, and in subsequent sessions the client browser will voluntarily enclose the sessionid in Set-cookie to indicate to the server the identity, The server finds the relevant user information in its own storage based on SessionID and finishes the verification process.

Then the user login process is the user to the server to submit username, password and other information, to obtain the SessionID process.

2. How to simulate and implement user login
Impersonate the user to log in, not for the purpose of brute force, but to cross the authentication of certain sites, and then obtain the information needed, such as the school library, assuming that in the program to obtain the reader's borrowing information, because the program does not take the SessionID as the browser itself, Then the username and password must be submitted to the server, obtained to SessionID after the subsequent request with the SessionID to request other pages, talent to obtain lending information, the approximate process such as the following:

Detailed implementations in the 3.node.js

I used the request package in node. js to simplify the requests, of course, there is no problem with the native HTTP package, in order to develop efficiency, or to use some NPM package as good, say no more, first on the code

 request ({URL: ' http://222.24.3.7:8080/opac_two/include/login_a Pp.jsp ',//Request URL method: ' POST ',//post mode request Encoding:null,//Because node defaults to UTF-8, and the library uses GB2312, so do not go            Code headers: {//Request header Settings ContentType: ' application/x-www-form-urlencoded '}, Form: {//Request body, number of login_type: ' Barcode ', barcode:username,//Submit user name Passwor            D:password,//Submit Password _: '//Other parameters}}, function (err, res, body) {//Receive callback  BODY = Iconv.decode (Body, "GB2312");            transcoding//console.log (body);  Session = res.headers[' Set-cookie '];            Gets the Set-cookie field value//console.log (session);            if (BODY = = ' OK ') {callback ({result:true, session:session});  } else {callback (false); CALLBACK}}); 

The above code is a user login request demo sample, using the URL transcoding to submit the method, submit username and password to Server,server is the West Mail library borrowing information query website. The construction of the 3~15 behavior request, including the request header, the request body (parameters), the detailed wording please refer to the official request document.
The callback function that follows is used to receive the response from the server callback, which has the sessionid we need.
And then we'll see how we can take SessionID and make subsequent requests.

Request ({uri: ' http://222.24.3.7:8080/opac_two/reader/jieshulishi.jsp ',  //Build request Encoding:null,  Do not transcode headers: {cookie:session  //Here is the key, set the cookie for the previously requested cookie in the form of SessionID}}, Functio        N (Err, res, body) {  //Get response can be if (err) {callback (' Server Error '); }    });

In the above code, the most critical is the 6~8 line, the request header settings, but also the setting of the cookie, which must be set to pass username and password to return after landing the content of the SessionID of the cookie, no matter what the site, Simply by using the session for authentication, you can use this method to simulate the submission of user data from a program to obtain information that requires an authentication page. We just have to analyze the body content in the response, we can crawl the information in the HTML, node. js is really handy!
Reprint please indicate the source, http://blog.csdn.net/yuanguozhengjust/article/details/37601757

Using node. js to realize the login of simulated session verification