Hi, One of my clients recently asked me to embed a login form for one of their partner websites into their own website. The form on the partner site has a lot of extraneous information and other links. They have issues where their users were following the link to the form and were being misled to other parts of the site.
I examined the form and found that they were creating a token when the form was feed to the client. I wrote a script using LWP::UserAgent and HTML::Form to go get a token and called it via SSI to embed it in a copy of the form on my client's site. I also found that they were using javascript base64 and MD5 functions to encrypt the password and had to get them as well. When I tested the form, I found that they must also be storing the client's ip address when they issue the token. When I try my form using my gettoken script, it fails. But if I get a token from my machine then cut and paste it into the form on my client's site, I can login. My question is would it be possible to use SSI environment variables to pass the remote user's ip address to my gettoken script and have LWP impersonate the user when it gets the token? My fear is that all this is happening at a higher level and I would have to get down to the socket level to spoof the other web server. If this is the case, it's not really worth it to do this. Your thoughts and comments would be appreciated. Thanks, Cameron
