Use cookies to obtain the webpage after logon.

Use cookies to obtain the webpage after logon.

As we all know, HTTP connections are stateless, so the question is, how can we record user login information? Generally, when a user sends an HTTP request for the first time, a SessionID is generated on the HTTP Server, which corresponds to the status of each session (such as whether to log on or not ), and save the SessionID In the cookies of the browser. After logging on to a webpage, you do not need to log on when you open another window to access the same webpage, because both webpages correspond to the same cookies.

Sometimes, when performing a python crawler, you need to access the webpage that can be accessed only after logging on. This can be achieved by using the cookie file that has been logged on. The following uses thunder network as an example. The experimental platform is Linux.

1. First, log on to the Firefox browser and use the Firebug plug-in to export cookies.

2. Modify the cookiesformat and set the file name to xunlei.txt. The correct format is as follows:

1 # Netscape HTTP Cookie File. 2 # Generated by Wget on 23:54:34. 3 # Edit at your own risk. 4 5 bytes TRUE/FALSE 1498494348 _ utma limit 6. I .xunlei.com TRUE/FALSE 1498494325 _ utma limit 7 blocks TRUE/FALSE 1435424148 _ utmb limit 8. I .xunlei.com TRUE/FALSE 1435424125 _ utmb when 9 then TRUE/FALSE 1498494348 _ utmc 7463347910. I .xunlei.com TRUE/FALSE 1498494348 _ utmc 11257007611. I .xunlei.com TRUE/FALSE 1435422925 _ utmt 112 then TRUE/FALSE 1451190348 _ utmz then = I .xunlei.com | utmccn = (referral) | utmcmd = referral | utmcct =/login.html 13. I .xunlei.com TRUE/FALSE 1451190325 _ utmz encoding = (direct) | utmccn = (direct) | utmcmd = (none) 14 dynamic. I .xunlei.com FALSE/FALSE 1498494348 _ xltjbr 143542234755615 dynamic. I .xunlei.com FALSE/FALSE 1435424148 _ s19 %3a // dynamic. I .xunlei.com/user
# If there are many rows of cookies, you will not write them. Note the following three points:
#1. The first line must be at least one character and cannot be an error.
#2. The format must be strict (TAB in the blank space ):

Domain [TRUE or FALSE]/[TRUE or FALSE] expiration timestamp name content

3. Use pythoncode to read xunlei.txt and access the web page that can be accessed after login, such as: http://dynamic. I .xunlei.com/user

The source code is as follows:

 1 import cookielib, urllib2 2  3 cookie = cookielib.MozillaCookieJar() 4 cookie.load("xunlei.txt") 5 handle=urllib2.HTTPCookieProcessor(cookie) 6 opener = urllib2.build_opener(handle) 7 urllib2.install_opener(opener) 8  9 url = "http://dynamic.i.xunlei.com/user"10 req = urllib2.Request(url)11 response = urllib2.urlopen(req)12 print response.read()

4. The printed code shows the content that I can see at http://dynamic. I .xunlei.com/userafter logging on.

 

The above principles are similar to those of CSRF attacks. CSRF attacks use illegal access to user cookies and disguise them as users for operations. For this attack, the web site can generate a token. the HTTP Server verifies the token of each request to avoid CSRF attacks, such as Django's CsrfViewMiddleware.

However, the token is still stored in cookies and can still be used for CSRF attacks, but the attack methods are more complex.