Jump to content

Web pages gets 302 Moved Temporarily on first request


Yitzchok
 Share

Recommended Posts

Is there a reason that on the first request to the login.htm page (or any other web page in the system even if you add your own page into the html folder) gets redirected with a 302 Moved Temporarily to the login.htm?

 

This happens on the first request of a new web session to the server and after that it all works fine for that session.

 

That problem for me is that I am trying to send a request with a query string attached to the url (that I use in the javascript of the page) but I must always click the link twice to get it to go to the right page (even if the request is to the login.html)

 

 

Is there anyway to get around this problem?

 

 

Thanks

Yitzchok

Link to comment
Share on other sites

 

That will work as long as I am willing to put the password in the query-string (html PUT) unencrypted and un-encoded.

 

Another option I think can work, is not redirecting just the page auto.htm (but a request to that page should create new session even if he had one before) and I can add a auto.htm page in the html folder and post the login form on that page using javascript so the user kind of gets logged in automatically.

 

The best and most secure option (so that we don't have to expose the users password admin/other) would be to have some encryption key in the pbx (that is not exposed in the admin web ui but only in the bpx.xml file (or another file that wont get exported with the configuration export for extra security) since there can only be one admin user :( and this shouldn't be exposed to all admin users). So to auto login the user from a custom application I can send the user to a url with something like this http://pbx/auto.htm?auth=RW543tfw45tads54G...eg_settings.htm (auth might have to be url encoded)

 

The auth filed will be an encrypted string that has in it the password and an expiration time or even better the time the key was generated (and maybe also the users IP address) this will allow the user to login without exposing the password to the user and to hackers, and will make this auth key worthless after a few minutes from anywhere and non accessible from other ip's right away.

 

(To make things more complicated and secure you can use public/private key encryption but I don't know if this is necessary)

 

 

Thanks,

Yitzchok

Link to comment
Share on other sites

No matter what, you will always have to expose the password this way or another. If you want to keep it safe, you can still use https transport layer.

 

Actually, the point here is to have a simple way to automatically set something through the web interface of the PBX. I believe the following will do the job:

 

curl 'http://10.10.10.3/post.htm?user=admin&pass=password&file=reg_settings.htm&save=save&inband_decoding=true'

 

In this example, you go to the web page reg_settings.htm and set the setting "inband_decoding" to "true".

 

In order to set something in a domain, you muse include the domain in the style "domain=abc.com". If you want to set something for an account, then you should include the parameter in the style "account=40". For example:

 

curl 'http://10.10.10.3/post.htm?user=admin&pass=password&file=dom_ext.htm&editaccount=save&domain=localhost&account=40&call_redial=123456'

 

This feature will be available in the next head build.

Link to comment
Share on other sites

What you posted is an option but not one that will really work for us since I don't want to expose the users password as clear text in the url even if I use ssl because I don't want the password to show up in the url in clear text in any case, a person looking over my shoulder can see it.

 

If you use Public/Private key encryption then it is not possible to get the password from the info passed to the browser except if the person has the private key. I would love to see this but it is probably complicated to implement. You can contact me if you want more info on this.

 

 

What about also adding a page where the request doesn't get redirected to the login page so I can add the page to the html folder and use javascript to login the person.

 

 

For now I am not interested in changing settings in the PBX using URL's that should be implemented using REST or SOAP.

 

Thanks

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...