Log in using CFHTTP

Question

I'm trying to create a function in ColdFusion that will allow me to log in to the EA Sports Web App so I can retrieve my profile data and display it on my site.

Looking at the source code from their login page the first step just appears to be a simple login form:

<form method="post" id="login_form" action="https://www.ea.com/uk/football/services/authenticate/login" class="login_form" enctype="application/x-www-form-urlencoded">
    <input type="hidden" name="redirectUrl" value="http://www.ea.com/uk/football/fifa-ultimate-team" />
    <input type="hidden" name="failureUrl" value="http://www.ea.com/uk/football/login?failed=true&amp;redirectUrl=http%3A%2F%2Fwww.ea.com%2Fuk%2Ffootball%2Ffifa-ultimate-team" />
    <input type="hidden" name="captchaFailureUrl" value="http://www.ea.com/uk/football/login?failed=true&amp;redirectUrl=http%3A%2F%2Fwww.ea.com%2Fuk%2Ffootball%2Ffifa-ultimate-team" />
    <input id="email" name="email" class="text" type="text" tabindex="1" />
    <input id="password" name="password" class="text" type="password" tabindex="2" />
    <input type="checkbox" id="stay-signed" name="stay-signed" value="ON" checked="checked" tabindex="3" />
</form>

I'm using the CFHTTP request to submit the following:

<cfhttp url="https://www.ea.com/uk/football/services/authenticate/login" method="POST" result="myResult">
    <cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded" />
    <cfhttpparam type="formField" name="email" value="#Variables.user#" />
    <cfhttpparam type="formField" name="password" value="#Variables.password#" />
</cfhttp>

When I dump what's returned, the fileContent contains the following: <authenticate><success>0</success></authenticate> which I'm assuming means that the login has not been successful.

I know I'm not giving you much to play with here but there doesn't seem to be a great deal more to trying to get the login to authenticate. Can anyone point out where I might be going wrong please?

Answer 1

I'm not sure if this will solve your problem but there are a few things to consider when you submit a form remotely.

First, is that you do not know what logic resides behind the form so you should submit EVERYTHING in the form in case the handler needs it for something. If it expects a form field that you did not submit, an error will occur and you will not get logged in.

Second, you could technically consider your actions, although perfectly legitimate for your use, a bot or hack. The target website could be looking to make sure the handler is actually being accessed by the form. They could be looking at the HTTP_REFERER or they could even be doing some more fancy stuff like looking at the duration of your session because no HUMAN could submit a form in .0001 seconds. In these cases you're likely not to get logged in at all unless you discover a flaw in their security logic.

Third, part of securing the site some logic also looks at the client to make sure you're a real browser. The default value of the userAgent attribute is "COLDFUSION". If the target is expecting something longer, or contains a valid browser name, the script would assume you are a bot and reject the request. The solution for this is easy though. Just put a good browser name in your userAgent attribute. You can get yours by dumping the cgi scope. The problem with this is that you should maintain it some how so you're not trying to use an old browser 5 years from now and the target says 'Sorry, chum. We don't support IE6 any more...'

<cfhttp userAgent = "Mozilla/4.0 (compatible; MSIE 7.0; {...}" ...>

Answer 2

All websites that log you in need to use cookies to achieve this as this is how they keep you logged in and maintain a session. That cookie is then sent to the server with each subsequent page request to authenticate you as being logged in. So you will need to emulate this with your cfhttp requests. See this article http://www.bennadel.com/blog/725-Maintaining-Sessions-Across-Multiple-ColdFusion-CFHttp-Requests.htm