How to do logins using the WinHttpRequest COM?

4
votes

You can see lots of people automating things on websites using mouseclick and keystroke simulation on browser windows or using the IE COM, but for some applications you don't want your application to take hundrets of megabytes of RAM and use loads of CPU power to render the website etc.

So the question is:
How to do logins to websites / webservices using AutoHotkey without a browser but using the WinHttpRequest COM?

1
httplogincomautohotkeywinhttprequest

1 Answers

4
votes

I already posted this on the AHK forums, but I think the information is useful enough to get archived on Stackoverflow as well. :)

Tools & getting started

First of all, if you want to do things like logins, you should probably learn some HTML and the basics about the HTTP protocol. Fiddler and SetProxy(2,"localhost:8888") will help you A LOT with the debugging and reverse engineering. I also recommend using an add on for your browser to quickly clean your cookies.

Example 1 (IP Board forums)

Okay, now let's take a look at some examples. What would a login to the autohotkey.com forum look like?
To reverse engineer the login of taht site I simply analyzed the browsers HTTP requests to autohotkey.com (use Fiddler or F12 in your browser for that) and by some trial and error I was able to minimize it to the basics. We need exactly two requests and the login needs one request header, as well as 3 POST data parameters.

Here is what we are basically gonna do:

  1. Do a simple GET request on http://www.autohotkey.com/board/index.php?app=core&module=global&section=login
  2. Extract the auth_key parameter form the login form from the response body (ResponseText)
  3. Create the POST data string containing the auth_key parameter as well as the username, password and rememberMe parameter for the login
  4. Set the Content-Type header for the next request
  5. Send the POST data string to http://www.autohotkey.com/board/index.php?app=core&module=global&section=login&do=process
  6. Analyze the response body checking if the HTML documents title starts with the words "Sign In". If so, then you're obviously not signed in (the login failed/wrong login data). If the title is different, then the login was successfull.

Example 1 code 

;Prepare our WinHttpRequest object
HttpObj := ComObjCreate("WinHttp.WinHttpRequest.5.1")
;HttpObj.SetProxy(2,"localhost:8888") ;Send data through Fiddler
HttpObj.SetTimeouts(6000,6000,6000,6000) ;Set timeouts to 6 seconds
;HttpObj.Option(6) := False ;disable location-header rediects

;Set our URLs
loginSiteURL := "http://www.autohotkey.com/board/index.php?app=core&module=global&section=login"
loginURL := "http://www.autohotkey.com/board/index.php?app=core&module=global&section=login&do=process"

;Set our login data
username := "Brutosozialprodukt"
password := "xxxxxxxxxxxxxx"
rememberMe := "1"

;Step 1
HttpObj.Open("GET",loginSiteURL)
HttpObj.Send()

;Step 2
RegExMatch(HttpObj.ResponseText,"<input\stype='hidden'\sname='auth_key'\svalue='(\w+)'\s/>",match)
auth_key := match1

;Step 3
loginBody := "auth_key=" auth_key "&ips_username=" username "&ips_password=" password "&rememberMe=" rememberMe

;Step 4/5
HttpObj.Open("POST",loginURL)
HttpObj.SetRequestHeader("Content-Type","application/x-www-form-urlencoded")
HttpObj.Send(loginBody)

;Step 6
If (InStr(HttpObj.ResponseText,"<title>Sign In"))
    MsgBox, The login failed!
Else
    MsgBox, Login was successfull!

This will probably work for most IPB forums if change the URLs properly.

Example 2 (phpbb forums)

Let's do another login to the new/other AHK forum (this will be much easier).

  1. Create the POST data containing username, password and the autologin parameter
  2. Set the Content-Type header
  3. Send the POST data to http://ahkscript.org/boards/ucp.php?mode=login
  4. Analyze the response body checking if the HTML documents title starts with the word "Login". If so, then you're obviously not logged in yet (the login failed/wrong login data). If the title is different, then the login was successfull.

Example 2 code 

;Prepare our WinHttpRequest object
HttpObj := ComObjCreate("WinHttp.WinHttpRequest.5.1")
;HttpObj.SetProxy(2,"localhost:8888") ;Send data through Fiddler
HttpObj.SetTimeouts(6000,6000,6000,6000) ;Set timeouts to 6 seconds
;HttpObj.Option(6) := False ;disable location-header rediects

;Set our URLs
loginURL := "http://ahkscript.org/boards/ucp.php?mode=login"

;Set our login data
username := "Brutosozialprodukt"
password := "xxxxxxxxxxxxxx"
autologin := "on"

;Step 1
loginBody := "username=" username "&password=" password "&autologin=" autologin "&login=Login"

;Step 2/3
HttpObj.Open("POST",loginURL)
HttpObj.SetRequestHeader("Content-Type","application/x-www-form-urlencoded")
HttpObj.Send(loginBody)

;Step 4
If (InStr(HttpObj.ResponseText,"<title>Login"))
    MsgBox, The login failed!
Else
    MsgBox, Login was successfull!

This will probably work for most phpbb forums if change the URLs properly.