WinHTTP VBA 后续请求不能使用以前的登录凭据?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19294956/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
WinHTTP VBA subsequent request cannot use the previous login credentials?
提问by jacouh
I'm using WinHTTP in Access 2007 VBA to fetch some list of items requiring a cookie login credential account.
我在 Access 2007 VBA 中使用 WinHTTP 来获取一些需要cookie 登录凭据帐户的项目列表。
First I login through https://www.example.com/login.phpwith this:
首先,我通过https://www.example.com/login.php登录:
Dim strCookie As String, strResponse As String, _
strUrl As String
'
Dim xobj As Object
'
Set xobj = New WinHttp.WinHttpRequest
'
strUrl = "https://www.example.com/login.php"
xobj.Open "POST", strUrl, False
xobj.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
xobj.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
xobj.Send "username=johndoe2&password=mypassword"
'
strCookie = xobj.GetResponseHeader("Set-Cookie")
strResponse = xobj.ResponseText
The content of strResponseindicates that my login is OK, as johndoe2is welcomed in this string. strCookiesaves the Set-Cookie returned by the HTTP server after the successful login.
strResponse的内容表示我的登录没问题,因为这个字符串中欢迎johndoe2。strCookie保存了登录成功后 HTTP 服务器返回的 Set-Cookie。
Next I need to get a confidential page only accessible for a logged user: https://www.example.com/secret-contents.php. I do this, with previous Set-Cookie header strCookie, resent to the server:
接下来,我需要获取一个只有登录用户才能访问的机密页面:https://www.example.com/secret-contents.php。我这样做,使用以前的 Set-Cookie 标头strCookie,重新发送到服务器:
'
' now try to get confidential contents:
'
strUrl = "https://www.example.com/secret-contents.php"
xobj.Open "GET", strUrl, False
xobj.SetRequestHeader "Cookie", strCookie
xobj.Send
'
strCookie = xobj.GetResponseHeader("Set-Cookie")
strResponse = xobj.ResponseText
Unfortunately, it's failed, as the new strResponseindicates that the fetched content is not the required one, but rather again the login page. And also strCookiehas changed.
不幸的是,它失败了,因为新的strResponse表明获取的内容不是必需的,而是登录页面。而且strCookie也发生了变化。
This has been tested and produces no effect, as it's only for Windows/OS linked authentication, such as the famous basic, NTLM, digest and Kerberos authentications, not for that based on cookie:
这已经过测试并且没有产生任何影响,因为它仅用于 Windows/OS 链接的身份验证,例如著名的基本、NTLM、摘要和 Kerberos 身份验证,不适用于基于 cookie 的身份验证:
xobj.SetCredentials "johndoe2", "mypassword", 0
What else to send as headers to the remote server other than Set-Cookie, in order to use the previously certified credential ?
除了 Set-Cookie 之外,还有什么要作为标头发送到远程服务器,以便使用先前认证的凭据?
The server uses typo3 CMS framework.
服务器使用typo3 CMS 框架。
回答by jacouh
In this half day, I finally figured out how to use the previous login credential for subsequent requests, thanks to the help of Alex K., fiddler2has opened the door to enter the HTTP headers's world. I would like to share what has worked for me today.
在这半天里,我终于弄清楚了如何使用之前的登录凭据进行后续请求,感谢Alex K.的帮助,fiddler2打开了进入 HTTP 标头世界的大门。我想分享今天对我有用的东西。
The work consists of 2 steps, login via a URL1 and then fetch the HTML content of the credential required URL2.
该工作包括 2 个步骤,通过 URL1 登录,然后获取所需凭据 URL2 的 HTML 内容。
1. Login via URL1, kept the same as in the Question:
1.通过URL1登录,与问题中保持一致:
Dim strCookie As String, strResponse As String, _
strUrl As String
'
Dim xobj As Object
'
Set xobj = New WinHttp.WinHttpRequest
'
strUrl = "https://www.example.com/login.php"
xobj.Open "POST", strUrl, False
xobj.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
xobj.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
xobj.Send "username=johndoe2&password=mypassword"
'
strCookie = xobj.GetResponseHeader("Set-Cookie")
strResponse = xobj.ResponseText
2. Get the content of the username/password protected URL2:
2. 获取受用户名/密码保护的 URL2 的内容:
'
' now try to get confidential contents:
'
strUrl = "https://www.example.com/secret-contents.php"
xobj.Open "GET", strUrl, False
'
' these 2 instructions are determining:
'
xobj.SetRequestHeader "Connection", "keep-alive"
xobj.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
'
xobj.SetRequestHeader "Cookie", strCookie
xobj.Send
'
strCookie = xobj.GetResponseHeader("Set-Cookie")
strResponse = xobj.ResponseText
One notices the usage of two additional headers sent to the HTTTP server in the second step:
我们注意到在第二步中使用了两个额外的标头发送到 HTTTP 服务器:
"Connection", "keep-alive"
“连接”,“保持活动状态”
"User-Agent", "My pretending navigator blabla..."
“用户代理”,“我假装的导航器blabla……”
without them the URL2 could not be successfully fetched, instead, a good configured website will redirect you to URL1 for authentication again.
如果没有它们,则无法成功获取 URL2,相反,配置良好的网站会将您重定向到 URL1 以再次进行身份验证。
In one word, the session must have a keep-aliveConnection in order to re-use the gained login credential.
一句话,会话必须有一个keep-aliveConnection才能重用获得的登录凭证。
This works indifferently for the httpand httpsprotocols.
这对http和https协议无动于衷。
The HTML login input field names depend on the target site, here usernameand password. The conceiver of the website may use such words as user, pass; loginuser, loginpass; ... you can easily figure this out by looking at the source code of the login form.
HTML 登录输入字段名称取决于目标站点,此处为username和password。网站的设计者可能会使用用户、通过;登录用户,登录密码;...您可以通过查看登录表单的源代码轻松搞清楚这一点。
